id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34170	Mitigate the BREACH attack	Andreas Pelme	Andreas Pelme	"The BREACH attack (https://breachattack.com/) was published in 2013. The Django project responded soon after (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) suggesting users to basically stop using gzip. CSRF masking was implemented in 2016 (#20869).

In April 2022, a paper called ""Heal The Breach"" was published, suggesting a mitigation that does not depend on masking specific tokens or injecting data into HTML. It is rather a generic and effective mitigation. It suggests adding randomness to the compressed response by injecting random bytes in the gzip filename field of the gzip stream: https://ieeexplore.ieee.org/document/9754554

Telling users to disable gzip is not great for bandwidth consumption. I propose that Django should implement ""Heal The Breach"" with sensible default."	New feature	assigned	HTTP handling	dev	Normal		breach, htb, gzip		Accepted	1	0	0	1	0	0