length_hiding_types
The `length_hiding_types` directive specifies content types for which random length hiding will be applied in responses.
Description
The length_hiding_types directive is part of the NGINX Length Hiding Filter Module and determines the MIME types of responses that should have random length hiding applied. This feature is intended to mitigate specific attacks such as BREACH by appending random HTML comments to the end of responses, making it more difficult for attackers to determine the length of sensitive responses based on varying content lengths. It takes one or more arguments that represent valid MIME types (e.g., 'text/html', 'application/json') and appends random bytes to the specified content type responses.
The directive can be placed in the http, server, or location context, allowing for flexibility in configuration across entire server blocks or individual locations. Each specified type will be checked against the response's content type, and if it matches, random data will be appended. This can enhance security by introducing unpredictability in response sizes, which complicates the analysis for potential attackers.
Config Example
location /secure {
length_hiding on;
length_hiding_types text/html application/json;
}Ensure that length_hiding is enabled for the directive to have any effect.
Define content types that accurately reflect what your application serves; otherwise, random bytes will not be appended to some responses.
Remember that this directive may not work properly if used with response types not specified in the configured list.