Mitigate BREACH attacks with random jitter and optional compression guard #102
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements BREACH attack mitigation for the Thruster HTTP/2 proxy by adding configurable random jitter to compressed responses and an optional compression guard for authenticated requests. The "heal-the-BREACH" philosophy is applied: compression remains enabled by default with jitter-based protection, but can be selectively disabled for sensitive traffic.
- Adds
GZIP_COMPRESSION_JITTER(default: 32 bytes) to add random padding to compressed responses - Adds
GZIP_COMPRESSION_DISABLE_ON_AUTH(default: false) to disable compression for requests with authentication headers - Updates
klauspost/compressfrom v1.17.4 to v1.18.1 to support theRandomJitterfeature
Reviewed changes
Copilot reviewed 10 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/config.go | Adds two new configuration fields with default values for BREACH mitigation |
| internal/config_test.go | Tests the new configuration options can be set via environment variables |
| internal/service.go | Passes new config options to handler initialization (formatting alignment) |
| internal/handler.go | Implements conditional gzip wrapper creation with jitter support and optional compression guard middleware |
| internal/compression_guard_middleware.go | New middleware that detects authenticated requests and sets no-compression header |
| internal/compression_guard_middleware_test.go | Comprehensive tests for compression guard middleware covering request/response headers |
| internal/handler_breach_test.go | Integration tests verifying jitter application and compression guard behavior |
| internal/request_start_middleware.go | Formatting fix (adds trailing newline) |
| internal/request_start_middleware_test.go | Formatting fix (adds trailing newline) |
| go.mod | Updates klauspost/compress dependency and promotes golang.org/x/net to direct dependency |
| go.sum | Updates checksums for dependency changes |
| README.md | Documents new environment variables and BREACH mitigation strategy in Security section |
| CHANGELOG.md | Records the new feature for upcoming v0.1.17 release |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jeremy
force-pushed
the
breach
branch
2 times, most recently
from
34b9d6a to
56a4f3a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 13 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 13 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…uard "Heal-the-BREACH" philosophy: don't disable compression globally; instead, make it noisy by default. Mitigations: * Jitter for length hiding with randomized padding. * Optional compression disabling for sensitive responses. New options: * `GZIP_COMPRESSION_JITTER`. Default: 32 (bytes). The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to `0` to disable. * `GZIP_COMPRESSION_DISABLE_ON_AUTH`. Default: false. Whether to disable gzip compression for authenticated requests having `Cookie`/`Authorization`/`X-Csrf-Token` headers.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 13 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
"Heal-the-BREACH" philosophy: don't disable compression globally; instead, make it noisy by default.
Mitigations:
New options:
GZIP_COMPRESSION_JITTER. Default: 32 (bytes). The amount of random jitter (in bytes) to add to the compressed response size to mitigate BREACH attacks. Set to0to disable.GZIP_COMPRESSION_DISABLE_ON_AUTH. Default: false. Whether to disable gzip compression for authenticated requests havingCookie/Authorization/X-Csrf-Tokenheaders.