Mitigate BREACH attacks with random jitter and optional compression guard

"Heal-the-BREACH" philosophy: don't disable compression globally;
instead, make it noisy by default.

Mitigations:
* Jitter for length hiding with randomized padding.
* Optional compression disabling for sensitive responses.

New options:
* `GZIP_COMPRESSION_JITTER`. Default: 32 (bytes).
  The amount of random jitter (in bytes) to add to the compressed
  response size to mitigate BREACH attacks. Set to `0` to disable.
* `GZIP_COMPRESSION_DISABLE_ON_AUTH`. Default: false.
  Whether to disable gzip compression for authenticated requests
  having `Cookie`/`Authorization`/`X-Csrf-Token` headers.

Author: jeremy

CHANGELOG.md

@@ -1,3 +1,7 @@
+## v0.1.17 / unreleased
+
+* Mitigate BREACH attacks with random jitter and optional compression guard (#102)
+
 ## v0.1.16 / 2025-10-19
 
 * Build with Go 1.25 (#93)

README.md

@@ -79,6 +79,8 @@ environment variables that you can set.
 | `CACHE_SIZE`                | The size of the HTTP cache in bytes. | 64MB |
 | `MAX_CACHE_ITEM_SIZE`       | The maximum size of a single item in the HTTP cache in bytes. | 1MB |
 | `GZIP_COMPRESSION_ENABLED`  | Whether to enable gzip compression for static assets. Set to `0` or `false` to disable. | Enabled |
+| `GZIP_COMPRESSION_DISABLE_ON_AUTH` | If set to `true`, disable gzip compression for authenticated requests with `Cookie`, `Authorization`, or `X-Csrf-Token` headers. | `false` |
+| `GZIP_COMPRESSION_JITTER`   | The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to `0` to disable. | 32 |
 | `X_SENDFILE_ENABLED`        | Whether to enable X-Sendfile support. Set to `0` or `false` to disable. | Enabled |
 | `MAX_REQUEST_BODY`          | The maximum size of a request body in bytes. Requests larger than this size will be refused; `0` means no maximum size is enforced. | `0` |
 | `STORAGE_PATH`              | The path to store Thruster's internal state. Provisioned TLS certificates will be stored here, so that they will not need to be requested every time your application is started. | `./storage/thruster` |
@@ -100,3 +102,14 @@ To prevent naming clashes with your application's own environment variables,
 Thruster's environment variables can optionally be prefixed with `THRUSTER_`.
 For example, `TLS_DOMAIN` can also be written as `THRUSTER_TLS_DOMAIN`. Whenever
 a prefixed variable is set, it will take precedence over the unprefixed version.
+
+## Security
+
+### BREACH Mitigation
+
+Thruster includes built-in mitigation for the [BREACH attack](https://breachattack.com/), which allows attackers to extract secrets from compressed encrypted traffic.
+
+1.  **Random Jitter (Enabled by Default)**: Thruster adds a random amount of "jitter" (padding) to the size of compressed responses. This makes it significantly harder for attackers to infer the content based on the compressed size. The default jitter is 32 bytes, controlled by `GZIP_COMPRESSION_JITTER`.
+2.  **Compression Guard (Optional)**: For higher security, you can disable compression entirely for authenticated requests (requests containing `Cookie`, `Authorization`, or `X-Csrf-Token` headers) by setting `GZIP_COMPRESSION_DISABLE_ON_AUTH=true`. This eliminates the side-channel entirely for sensitive traffic but may increase bandwidth usage.
+
+By default, Thruster prioritizes performance while providing baseline protection via jitter. Operators with strict security requirements should consider enabling the Compression Guard.

go.mod

@@ -3,17 +3,17 @@ module github.com/basecamp/thruster
 go 1.25.3
 
 require (
-	github.com/klauspost/compress v1.17.4
+	github.com/klauspost/compress v1.18.1
 	github.com/stretchr/testify v1.8.4
 	golang.org/x/crypto v0.37.0
+	golang.org/x/net v0.39.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/net v0.39.0 // indirect
 	golang.org/x/text v0.24.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -1,8 +1,8 @@
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
-github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
+github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
+github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=

internal/compression_guard_middleware.go

@@ -0,0 +1,95 @@
+package internal
+
+import (
+	"bufio"
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/klauspost/compress/gzhttp"
+)
+
+func NewCompressionGuardMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check for user-specific headers in the request
+		if hasUserSpecificRequestHeaders(r) {
+			w.Header().Set(gzhttp.HeaderNoCompression, "1")
+		}
+
+		// Wrap the ResponseWriter to check for user-specific headers in the response
+		wrappedWriter := &compressionGuardResponseWriter{ResponseWriter: w}
+		next.ServeHTTP(wrappedWriter, r)
+	})
+}
+
+func hasUserSpecificRequestHeaders(r *http.Request) bool {
+	return r.Header.Get("Cookie") != "" ||
+		r.Header.Get("Authorization") != "" ||
+		r.Header.Get("X-Csrf-Token") != ""
+}
+
+type compressionGuardResponseWriter struct {
+	http.ResponseWriter
+	wroteHeader bool
+}
+
+func (w *compressionGuardResponseWriter) WriteHeader(statusCode int) {
+	if w.wroteHeader {
+		return
+	}
+	w.wroteHeader = true
+
+	// Check for user-specific headers in the response
+	if hasUserSpecificResponseHeaders(w.Header()) {
+		w.Header().Set(gzhttp.HeaderNoCompression, "1")
+	}
+
+	w.ResponseWriter.WriteHeader(statusCode)
+}
+
+func (w *compressionGuardResponseWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		w.WriteHeader(http.StatusOK)
+	}
+	return w.ResponseWriter.Write(b)
+}
+
+func hasUserSpecificResponseHeaders(h http.Header) bool {
+	if h.Get("Set-Cookie") != "" {
+		return true
+	}
+
+	cacheControl := strings.ToLower(h.Get("Cache-Control"))
+	for _, directive := range strings.Split(cacheControl, ",") {
+		dir := strings.TrimSpace(directive)
+		// Strip any value (e.g. private="Set-Cookie") before comparison.
+		dirName := strings.SplitN(dir, "=", 2)[0]
+		if dirName == "private" || dirName == "no-store" {
+			return true
+		}
+	}
+
+	vary := h.Get("Vary")
+	for _, token := range strings.Split(vary, ",") {
+		if strings.EqualFold(strings.TrimSpace(token), "cookie") {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Flush implements http.Flusher
+func (w *compressionGuardResponseWriter) Flush() {
+	if flusher, ok := w.ResponseWriter.(http.Flusher); ok {
+		flusher.Flush()
+	}
+}
+
+// Hijack implements http.Hijacker
+func (w *compressionGuardResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	if hijacker, ok := w.ResponseWriter.(http.Hijacker); ok {
+		return hijacker.Hijack()
+	}
+	return nil, nil, http.ErrNotSupported
+}

internal/compression_guard_middleware_test.go

@@ -0,0 +1,110 @@
+package internal
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/klauspost/compress/gzhttp"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCompressionGuardMiddleware(t *testing.T) {
+	tests := []struct {
+		name           string
+		requestHeaders map[string]string
+		responseHeader map[string]string
+		wantNoCompress bool
+	}{
+		{
+			name:           "No auth headers",
+			requestHeaders: map[string]string{},
+			wantNoCompress: false,
+		},
+		{
+			name:           "Cookie header present",
+			requestHeaders: map[string]string{"Cookie": "session=123"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Authorization header present",
+			requestHeaders: map[string]string{"Authorization": "Bearer token"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "X-Csrf-Token header present",
+			requestHeaders: map[string]string{"X-Csrf-Token": "token"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Set-Cookie response header",
+			responseHeader: map[string]string{"Set-Cookie": "session=123"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Cache-Control private response header",
+			responseHeader: map[string]string{"Cache-Control": "private, max-age=3600"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Cache-Control no-store response header",
+			responseHeader: map[string]string{"Cache-Control": "no-store"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Cache-Control private directive with value",
+			responseHeader: map[string]string{"Cache-Control": `public, private="Set-Cookie"`},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Cache-Control token parsing avoids false positives",
+			responseHeader: map[string]string{"Cache-Control": "public, my-private-setting=value"},
+			wantNoCompress: false,
+		},
+		{
+			name:           "Vary Cookie response header",
+			responseHeader: map[string]string{"Vary": "Cookie"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Vary token parsing avoids false positives",
+			responseHeader: map[string]string{"Vary": "Accept-Encoding, Cookie-Name"},
+			wantNoCompress: false,
+		},
+		{
+			name:           "Case-insensitive header checks (response)",
+			responseHeader: map[string]string{"cache-control": "PRIVATE"},
+			wantNoCompress: true,
+		},
+		{
+			name:           "Case-insensitive header checks (request)",
+			requestHeaders: map[string]string{"cookie": "session=123"},
+			wantNoCompress: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			handler := NewCompressionGuardMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				for k, v := range tt.responseHeader {
+					w.Header().Set(k, v)
+				}
+				w.WriteHeader(http.StatusOK)
+			}))
+
+			req := httptest.NewRequest("GET", "/", nil)
+			for k, v := range tt.requestHeaders {
+				req.Header.Set(k, v)
+			}
+
+			rr := httptest.NewRecorder()
+			handler.ServeHTTP(rr, req)
+
+			if tt.wantNoCompress {
+				assert.Equal(t, "1", rr.Header().Get(gzhttp.HeaderNoCompression))
+			} else {
+				assert.Empty(t, rr.Header().Get(gzhttp.HeaderNoCompression))
+			}
+		})
+	}
+}

internal/config.go

@@ -37,18 +37,23 @@ const (
 
 	defaultLogLevel    = slog.LevelInfo
 	defaultLogRequests = true
+
+	defaultGzipCompressionDisableOnAuth = false
+	defaultGzipCompressionJitter        = 32
 )
 
 type Config struct {
 	TargetPort      int
 	UpstreamCommand string
 	UpstreamArgs    []string
 
-	CacheSizeBytes         int
-	MaxCacheItemSizeBytes  int
-	XSendfileEnabled       bool
-	GzipCompressionEnabled bool
-	MaxRequestBody         int
+	CacheSizeBytes               int
+	MaxCacheItemSizeBytes        int
+	XSendfileEnabled             bool
+	GzipCompressionEnabled       bool
+	GzipCompressionDisableOnAuth bool
+	GzipCompressionJitter        int
+	MaxRequestBody               int
 
 	TLSDomains       []string
 	ACMEDirectoryURL string
@@ -86,11 +91,13 @@ func NewConfig() (*Config, error) {
 		UpstreamCommand: os.Args[1],
 		UpstreamArgs:    os.Args[2:],
 
-		CacheSizeBytes:         getEnvInt("CACHE_SIZE", defaultCacheSize),
-		MaxCacheItemSizeBytes:  getEnvInt("MAX_CACHE_ITEM_SIZE", defaultMaxCacheItemSizeBytes),
-		XSendfileEnabled:       getEnvBool("X_SENDFILE_ENABLED", true),
-		GzipCompressionEnabled: getEnvBool("GZIP_COMPRESSION_ENABLED", true),
-		MaxRequestBody:         getEnvInt("MAX_REQUEST_BODY", defaultMaxRequestBody),
+		CacheSizeBytes:               getEnvInt("CACHE_SIZE", defaultCacheSize),
+		MaxCacheItemSizeBytes:        getEnvInt("MAX_CACHE_ITEM_SIZE", defaultMaxCacheItemSizeBytes),
+		XSendfileEnabled:             getEnvBool("X_SENDFILE_ENABLED", true),
+		GzipCompressionEnabled:       getEnvBool("GZIP_COMPRESSION_ENABLED", true),
+		GzipCompressionDisableOnAuth: getEnvBool("GZIP_COMPRESSION_DISABLE_ON_AUTH", defaultGzipCompressionDisableOnAuth),
+		GzipCompressionJitter:        getEnvInt("GZIP_COMPRESSION_JITTER", defaultGzipCompressionJitter),
+		MaxRequestBody:               getEnvInt("MAX_REQUEST_BODY", defaultMaxRequestBody),
 
 		TLSDomains:       getEnvStrings("TLS_DOMAIN", []string{}),
 		ACMEDirectoryURL: getEnvString("ACME_DIRECTORY", defaultACMEDirectoryURL),

internal/config_test.go

@@ -119,6 +119,8 @@ func TestConfig_override_defaults_with_env_vars(t *testing.T) {
 	usingEnvVar(t, "ACME_DIRECTORY", "https://acme-staging-v02.api.letsencrypt.org/directory")
 	usingEnvVar(t, "LOG_REQUESTS", "false")
 	usingEnvVar(t, "H2C_ENABLED", "true")
+	usingEnvVar(t, "GZIP_COMPRESSION_DISABLE_ON_AUTH", "true")
+	usingEnvVar(t, "GZIP_COMPRESSION_JITTER", "64")
 
 	c, err := NewConfig()
 	require.NoError(t, err)
@@ -132,6 +134,8 @@ func TestConfig_override_defaults_with_env_vars(t *testing.T) {
 	assert.Equal(t, "https://acme-staging-v02.api.letsencrypt.org/directory", c.ACMEDirectoryURL)
 	assert.Equal(t, false, c.LogRequests)
 	assert.Equal(t, true, c.H2CEnabled)
+	assert.Equal(t, true, c.GzipCompressionDisableOnAuth)
+	assert.Equal(t, 64, c.GzipCompressionJitter)
 }
 
 func TestConfig_override_defaults_with_env_vars_using_prefix(t *testing.T) {

internal/handler.go

@@ -9,15 +9,17 @@ import (
 )
 
 type HandlerOptions struct {
-	badGatewayPage           string
-	cache                    Cache
-	maxCacheableResponseBody int
-	maxRequestBody           int
-	targetUrl                *url.URL
-	xSendfileEnabled         bool
-	gzipCompressionEnabled   bool
-	forwardHeaders           bool
-	logRequests              bool
+	badGatewayPage               string
+	cache                        Cache
+	maxCacheableResponseBody     int
+	maxRequestBody               int
+	targetUrl                    *url.URL
+	xSendfileEnabled             bool
+	gzipCompressionEnabled       bool
+	gzipCompressionDisableOnAuth bool
+	gzipCompressionJitter        int
+	forwardHeaders               bool
+	logRequests                  bool
 }
 
 func NewHandler(options HandlerOptions) http.Handler {
@@ -27,7 +29,35 @@ func NewHandler(options HandlerOptions) http.Handler {
 	handler = NewRequestStartMiddleware(handler)
 
 	if options.gzipCompressionEnabled {
-		handler = gzhttp.GzipHandler(handler)
+		var wrapper func(http.Handler) http.HandlerFunc
+		var err error
+
+		if options.gzipCompressionJitter > 0 {
+			wrapper, err = gzhttp.NewWrapper(
+				gzhttp.MinSize(1024),
+				gzhttp.CompressionLevel(6),
+				gzhttp.RandomJitter(options.gzipCompressionJitter, 0, false),
+			)
+		} else {
+			wrapper, err = gzhttp.NewWrapper(
+				gzhttp.MinSize(1024),
+				gzhttp.CompressionLevel(6),
+			)
+		}
+
+		if err != nil {
+			// If we cannot create the wrapper with the requested configuration (including jitter),
+			// we must fail hard rather than silently downgrading security or performance.
+			panic("failed to create gzip wrapper: " + err.Error())
+		}
+
+		gzipHandler := wrapper(handler)
+
+		if options.gzipCompressionDisableOnAuth {
+			handler = NewCompressionGuardMiddleware(gzipHandler)
+		} else {
+			handler = gzipHandler
+		}
 	}
 
 	if options.maxRequestBody > 0 {