Enable/Diasable HTTP compression for SpringBoot-Server on Cloud Foundry

Question

I have a Spring Boot Application on Cloud Foundry and want to deactivate the HTTP - Compression that is used in the following HTTP-Header: Accept-Encoding: gzip, deflate . I want to prevent a BREACH-attack.

Is there an Entry in the manifest.yml, with which i can disable this Compression ?

Answer 1

There are no manifest.yml (at least not for the cf cli's manifest.yml) attributes for your application. Remeber that manifest.yml is what controls (or automates) the cf cli and how it will push your application to Cloud Foundry. It's generic though across any type of app you can deploy. The best one can achieve is to have the cli pass information along to your application. You application has to be looking for that information though in order for it to change any behavior.

Fortunately, Spring Boot can consume external configuration property settings from a variety of places. Two of those, environment variables and system properties, can be set both through manifest.yml. Plus Spring Boot offers properties to control the compression it uses.

If you want to disable compression, just set server.compression.enabled to false.

https://docs.spring.io/spring-boot/docs/2.2.7.RELEASE/reference/html/appendix-application-properties.html#server-properties

Putting that all together, you can configure this property through manifest.yml by adding an env: block and defining the appropriate env variable.

Ex:

...
  env:
    SPRING_COMPRESSION_ENABLED: false
...

Alternatively, you could set a system property:

Ex:

...
  env:
    JAVA_OPTS: '-Dspring.compression.enabled=false'
...

That would just turn off compression, if you look at the doc reference there are other properties for Spring Boot which can be used to more finely tune compression. You could apply those, or any other Spring Boot configuration property, in the same way I described above.