[elchief]

General. Don't use TLS compression or HTTP compression for any information you want to keep secret. BREACH and CRIME attacks exploit this.

You can still use, say, HTML minification.

You can compress your js and css as long as you make sure you aren't sending your confidential information in those request/response headers. A good way to do this is to setup a subdomain for media that never uses cookies.

[yajoe]

Thanks. We've been segregating authenticated vs non-authenticated traffic to different domains for a few years now (we had the same realization as moot), but I was unaware about this specific exploit related to TLS compression.

That said, it seems on nginx TLS compression was not enabled by default, so we are ok (for this known vulnerability).