Details
gzip is used for compression. Compression functionality should be disabled to prevent certain types of attacks from being performed successfully.
Rationale:
Compression has been linked with the Breach attack and others. While the Breach attack has been mitigated with modern usages of the HTTP protocol, disabling the use of compression is considered a defense-in-depth strategy to mitigate other attacks.
Solution
In order to disable the http_gzip_module, nginx must be recompiled from source. This can be accomplished using the below command in the folder you used during your original compilation. This must be done without the –with-http_gzip_static_module configuration directive.
./configure –without-http_gzip_module
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.