2.1.3 Ensure modules with gzip functionality are disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

gzip is used for compression. Compression functionality should be disabled to prevent certain types of attacks from being performed successfully.

Rationale:

Compression has been linked with the Breach attack and others. While the Breach attack has been mitigated with modern usages of the HTTP protocol, disabling the use of compression is considered a defense-in-depth strategy to mitigate other attacks.

Solution

In order to disable the http_gzip_module and the http_gzip_static_module, NGINX must be recompiled from source. This can be accomplished using the below command in the folder you used during your original compilation. This must be done without the --with-http_gzip_static_module or --with-http_gzip_module configuration directives.

./configure --without-http_gzip_module --without-http_gzip_static_module

Default Value:

The http_gzip_module is enabled by default in the source build, and the http_gzip_static_module is not. Only the http_gzip_static_module is enabled by default in the dnf package.

See Also

https://workbench.cisecurity.org/files/4538