length_hiding

The length_hiding directive is part of the NGINX Length Hiding Filter Module, which helps mitigate the BREACH attack by appending random content to the end of HTTP responses. When enabled, this directive ensures that the actual size of the response body is obscured by varying the output length through randomized HTML comments. This makes it significantly more challenging for attackers to infer lengths of secure tokens contained in responses, thereby protecting sensitive information.

The directive takes a boolean flag argument to determine whether length hiding should be activated. If enabled, NGINX will append a random HTML comment to the end of each response. This can be particularly useful in scenarios where disabling content compression is not feasible, as it provides a means of randomizing the response size without impacting overall performance. Additionally, the module allows configuration of the maximum length of the random data to be added, ensuring flexibility to fit the needs of different applications. The length of these random bytes can be constrained to a specified range, giving administrators control over how much additional data is added to each response.

In practical use, this directive should be placed inside the http, server, or location contexts within the NGINX configuration file. In conjunction with the length_hiding_max directive, which sets the upper limit of the random length, administrators can finely tune the security and performance characteristics of their web server responses.