How to enable compression in asp.net Core 2.2 project for https site and avoid problems like CRIME and BREACH

Question

I have a web application that is written using C# on the top of ASP.NET Core 2.2 MVC framework.

My application displays lots of images on every request which makes load time high and increase bandwidth usage. To improve page load and bandwidth usage, I want to compress the HTTP response using Brotli and Gzip formats.

Luckily Microsoft has a package that uses middleware to compress the HTTP response for me called Microsoft.AspNetCore.ResponseCompression. From the package official documentation, compression for secured websites is disabled by default.

Using compression with dynamically generated pages can lead to security problems such as the CRIME and BREACH attacks.

My question how can I compress the response while avoiding security issues?

Here is how I set up the Microsoft.AspNetCore.ResponseCompression package

public void ConfigureServices(IServiceCollection services)
{
    services.AddResponseCompression(options =>
    {
        options.Providers.Add();
        options.Providers.Add();
        options.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(
        new[] { "image/svg+xml", "image/jpeg" });
        options.EnableForHttps = true;
    });

    ...
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    app.UseResponseCompression();
    ...
}

The above setup will apply compression for the following MIMI types

application/javascript
application/json
application/xml
text/css
text/html
text/json
text/plain
text/xml
image/svg+xml
image/jpeg

How to enable compression in asp.net Core 2.2 project for https site and avoid problems like CRIME and BREACH

Answers (1)

Related Questions