14Mar
CRIME and BREACH attacks, HTTP/2 and HTTP/3
I have been reading on CRIME and BREACH attacks and I want to learn better how to protect against them.
From what I understood, those attacks require TLS encryption over HTTP compression and HTTP content reflecting an user input.
HTTP/2 uses HPACK and HTTP/3 uses QPACK header compressions, which are secure against CRIME and BREACH. If my secret data is only inside headers, does that mean that I can safely use compression on the whole request / response, with HTTP/2 or HTTP/3?
