[JZerf]

In addition to the reasons that mholt mentioned in response to your question, enabling HTTP/GZIP compression could possibly be less secure for some web server configurations due to things like the BREACH attack. See https://en.wikipedia.org/wiki/HTTP_compression#Security_impl... and https://en.wikipedia.org/wiki/BREACH for more info. I might be wrong but I don't think that current web serving protocols mitigate an attack like this. It might be better to default to safe settings that don't use HTTP/GZIP compression even if it might slow things down for the time being.

[thadt]

Eh, it's not just current web serving protocols. Any protocol where:

- An application uses compression

- An attacker is able to supply chosen data to it

- The application compresses the attacker's data and static secret data together

- The attacker is able to monitor the size of the compressed data

- This can be repeated by the attacker a number of times

will be vulnerable to having its secret data stolen by techniques like BREACH. If you want your secret data to stay secret, don't compress it with attacker chosen plaintext where the resulting size could be monitored.