class GZipMiddleware
[source]
Warning
Security researchers recently revealed that when compression techniques (including GZipMiddleware
) are used on a website, the site may become exposed to a number of possible attacks. Before using GZipMiddleware
on your site, you should consider very carefully whether you are subject to these attacks. If you’re in any doubt about whether you’re affected, you should avoid using GZipMiddleware
. For more details, see the the BREACH paper (PDF) and breachattack.com.
Compresses content for browsers that understand GZip compression (all modern browsers).
This middleware should be placed before any other middleware that need to read or write the response body so that compression happens afterward.
It will NOT compress content if any of the following are true:
- The content body is less than 200 bytes long.
- The response has already set the
Content-Encoding
header. - The request (the browser) hasn’t sent an
Accept-Encoding
header containinggzip
.
You can apply GZip compression to individual views using the gzip_page()
decorator.
In older versions, Django’s CSRF protection mechanism was vulnerable to BREACH attacks when compression was used. This is no longer the case, but you should still take care not to compromise your own secrets this way.
Please login to continue.