length_hiding_max
The `length_hiding_max` directive configures the maximum length of random bytes added to HTTP responses to obscure the true response length.
Description
The length_hiding_max directive is part of the NGINX Length Hiding Filter Module, which helps mitigate BREACH attacks by appending randomly generated content to HTTP responses. This directive allows administrators to set a maximum limit for the random length of these appends. By hiding the true response length, it makes it significantly harder for attackers to determine the presence of sensitive information within those responses.
The directive takes a single integer argument that specifies the maximum number of bytes to be added to the response. This helps ensure that the length hiding does not exceed this defined threshold, maintaining a reasonable balance between security and performance. Typically, this length can range from 256 to 2048 bytes, as enforced by the configuration constraints embedded in the source code. The added content will vary in length for each response, which adds a layer of unpredictability.
When using the length_hiding_max directive, it is important to enable the length hiding module by using the length_hiding directive. This allows the random content to be added only when applicable content types are encountered, as specified by the length_hiding_types directive. This modular functionality allows users to finely tune their response handling based on the specific needs of their web services.
Config Example
location /secure {
length_hiding on;
length_hiding_max 512;
length_hiding_types text/html;
}Ensure the length_hiding directive is enabled; otherwise, this directive will have no effect.
Values outside the 256-2048 range will cause configuration errors due to enforced bounds.
The length added is randomized based on the configuration; keep in mind that this is partly for stealth and not a precise measure.