2.1.3 Ensure modules with gzip functionality are disabled


gzip is used for compression. Compression functionality should be disabled to prevent certain types of attacks from being performed successfully.


Compression has been linked with the Breach attack and others. While the Breach attack has been mitigated with modern usages of the HTTP protocol, disabling the use of compression is considered a defense-in-depth strategy to mitigate other attacks.


In order to disable the http_gzip_module and the http_gzip_static_module, NGINX must be recompiled from source. This can be accomplished using the below command in the folder you used during your original compilation. This must be done without the --with-http_gzip_static_module or --with-http_gzip_module configuration directives.

./configure --without-http_gzip_module --without-http_gzip_static_module

Default Value:

The http_gzip_module is enabled by default in the source build, and the http_gzip_static_module is not. Only the http_gzip_static_module is enabled by default in the dnf package.

See Also


Item Details


References: 800-53|CM-7, 800-53|CM-7(1), CSCv7|2.8

Plugin: Unix

Control ID: 068a439fc54070e4df1f671fc5f88b7777d54363814cfd8e627105ee9cc330f5