我是否应该在具有SSL的Nginx服务器上为React应用启用Gzip? [英] Should I enable Gzip on Nginx server with SSL for a react app?
问题描述
我有一个具有相当大构建大小的react应用程序,它已部署在具有SSL的Nginx服务器上.我学到了一些有关GZip的知识,以及它如何改善网站的性能.但是我也知道,将GZip与SSL结合使用并不是安全的. Nginx默认为HTML文件启用GZip.我是否还应该为Javascript和CSS等其他文件启用它,以提高性能?
I have a react app with a pretty large build size, it is deployed on an Nginx server with SSL. I learned a bit about GZip and how it can improve the site's performance. But I also came to know that it is not to safe to use GZip with SSL. GZip is enabled for HTML files by default in Nginx. Should I enable it for other files like Javascript and CSS as well to improve performance ?
推荐答案
您说的
将GZip与SSL结合使用并不安全
it is not to safe to use GZip with SSL
我假设您是在谈论突破攻击.为使成功的压缩响应成功突破违规攻击,需要满足两个条件:
i assume that you are talking about Breach Attack. Well for breach attack to be successful for the compressed response, two conditions need to be satisfied:
- 在HTTP响应正文中反映用户输入
- 在HTTP响应正文中反映一个秘密(例如CSRF令牌)
当您发送压缩的js/css文件作为响应时,通常不会在响应中反映用户输入.这意味着调用js/css文件url将仅返回该文件.
When you send compressed js/css files in response, you usually do not reflect user-input in the response. That means calling the js/css file url will only return that file.
此外,您通常不会在响应中返回任何敏感数据以及压缩的js/css文件.
Also you usually do not return any sensitive data in the response along with compressed js/css files.
所以是的,对js/css资产使用Gzip压缩是完全安全的.静态响应不容易受到这种攻击.
So yeah it is completely safe to use Gzip compression for js/css assets. Static responses are not vulnerable to this attack.
这篇关于我是否应该在具有SSL的Nginx服务器上为React应用启用Gzip?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
