Does using HTTPS already include (transparent) content compression or should I still worry about negotiating with the browser whether to compress my Servlet output? If HTTPS already has compression, is it unconditional or does it need to be configured/negotiated/enabled?
Do I need/want gzip compression when using HTTPS?
Asked Answered
TLS by default doesn't enable compression, though it (compression) is defined in TLS standard and can be enabled if both parties support it. So it's better to not rely on it and request it on HTTP level.
Assuming modern browsers and servers that TLS compression, would it usually be enabled? If so, how? I'd rather set some configuration on my server than add code to do it (especially since TLS compression seems to come for free as part of the encryption). –
Givens
@Givens unfortunately I didn't see compression option in modern browsers so I assume that they either use it implicitly or not use at all, and the only way to check is to check the source code of Firefox and server-side ssl modules such as apache and nginx (being one of the most popular ones). –
Pali
HTTPS only provides encryption. It does not compress the content. You should still negotiate gzip compression.
Compression was supported by TLS v1.2 and earlier but is prohibited in TLS v1.3 and higher, since compression creates known bit patterns which greatly ease hacking attempts. As such, you should assume that no compression will be done by HTTPS/TLS and if you want compression, must enable it on the HTTP level.
© 2022 - 2024 — McMap. All rights reserved.