Am I correct that it is still safe to have compression enabled for static
files? Assuming you're not sending secrets inside CSS or JS files?
http://wiki.nginx.org/HttpGzipModule says that the gzip on directive can be
set in location.
On Tuesday, 6 August 2013 17:58:42 UTC+1, Donald Stufft wro
On Tuesday, August 6, 2013 3:42:01 PM UTC+1, Jacob Kaplan-Moss wrote:
>
> We plan to take steps to address BREACH in Django itself, but in the
> meantime we recommend that all users of Django understand this
> vulnerability and take action if appropriate.
>
>
Would randomizing the CSRF token on
Hi Jacob,
Thanks for this!
Idea!
Since many of the mitigations hint at CSRF improvements, consider fixing
the issue with CSRF. This should automatically fix issues for both gzip
middleware and external projects like mod_deflate etc.
That is, go with mitigation 3.4 and 3.6.
Regards,
Benjamin
Hi folks --
At last week's Black Hat conference, researchers announced the BREACH
attack (http://breachattack.com/), a new attack on web apps that can
recover data even when secured with SSL connections. Given what we know so
far, we believe that BREACH may be used to compromise Django's CSRF
prot
4 matches
Mail list logo
