kanidmd_core/https/middleware/compression.rs
1//! Let's build a compression middleware!
2//!
3//! The threat of the TLS BREACH attack (1) was considered as part of adding
4//! the CompressMiddleware configuration.
5//!
6//! The attack targets secrets which are compressed and encrypted in flight
7//! with the intent to infer their content.
8//!
9//! This is not a concern for the paths covered by this configuration:
10//!
11//! * `/`
12//! * `/ui/<and all sub-paths>`
13//! * `/pkg/<and all sub-paths>`
14//!
15//! as they're all static content with no secrets in transit - all that data should
16//! come from Kanidm's REST API, which is on a different path and not covered by
17//! the compression middleware.
18//!
19//! (1) - <https://resources.infosecinstitute.com/topic/the-breach-attack/>
20//!
21
22use tower_http::compression::CompressionLayer;
23
24// TODO: this should skip compression on responses smaller than ~256 bytes because gzip can make them bigger.
25/// This builds a compression layer with the following configuration:
26///
27/// * No brotli compression - because that's *very* slow to compress dynamically
28/// * "Best" quality of compression, usually produces the smallest size.
29///
30pub fn new() -> CompressionLayer {
31 CompressionLayer::new()
32 .no_br()
33 .quality(tower_http::CompressionLevel::Best)
34}