{"id":13643712,"url":"https://github.com/nulab/nginx-length-hiding-filter-module","last_synced_at":"2025-03-20T09:55:39.686Z","repository":{"id":137627897,"uuid":"13262943","full_name":"nulab/nginx-length-hiding-filter-module","owner":"nulab","description":"nginx filter module to append random generated string to the end of HTML response","archived":false,"fork":false,"pushed_at":"2019-06-25T02:00:33.000Z","size":24,"stargazers_count":61,"open_issues_count":1,"forks_count":12,"subscribers_count":44,"default_branch":"master","last_synced_at":"2024-11-09T15:43:24.836Z","etag":null,"topics":["nginx"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nulab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2013-10-02T04:43:14.000Z","updated_at":"2024-02-24T12:13:34.000Z","dependencies_parsed_at":null,"dependency_job_id":"65edc7e3-2f91-41f1-8027-92c35e1b5e2d","html_url":"https://github.com/nulab/nginx-length-hiding-filter-module","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulab%2Fnginx-length-hiding-filter-module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulab%2Fnginx-length-hiding-filter-module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulab%2Fnginx-length-hiding-filter-module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulab%2Fnginx-length-hiding-filter-module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nulab","download_url":"https://codeload.github.com/nulab/nginx-length-hiding-filter-module/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244591486,"owners_count":20477709,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nginx"],"created_at":"2024-08-02T01:01:51.607Z","updated_at":"2025-03-20T09:55:39.665Z","avatar_url":"https://github.com/nulab.png","language":"C","funding_links":[],"categories":["C","Bot mitigation"],"sub_categories":[],"readme":"\n# Nginx Length Hiding Filter Module\n\n[![Build Status](https://travis-ci.org/nulab/nginx-length-hiding-filter-module.svg?branch=master)](https://travis-ci.org/nulab/nginx-length-hiding-filter-module)\n\n## Introduction\n\nIn [BREACH site](http://breachattack.com/), the mitigations against BREACH attack are given as follows:\n\n1. Disabling HTTP compression\n2. Separating secrets from user input\n3. Randomizing secrets per request\n4. Masking secrets (effectively randomizing by XORing with a random secret per request)\n5. Protecting vulnerable pages with CSRF\n6. Length hiding (by adding random number of bytes to the responses)\n7. Rate-limiting the requests\n\nBREACH relies on HTTP compression and it's reasonable to disable it to secure your website. However without compresseion, some websites may meet severe performance degression or the cost may increase if you're charged based on the volume of traffic like AWS. In such case it may be difficult to turn off HTML compression for whole responses from your website and need to adopt other proper ways.\n\nOther mitigations listed from the 2nd to 5th above are basically applicable to your application but the 6th one, Length hiding, can be done on nginx. This filter module provides functionality to append randomly generated HTML comment to the end of response body to hide correct response length and make it difficult for attackers to guess secure token.\n\nThe sample of randomly appended HTML comment is here.\n```\n\u003c!-- random-length HTML comment: JnSLGWeWYWsoJ4dXS3ubLw3YOu3zfGTotlzx7UJUo26xuXICQ2cbpVy1Dprgv8Icj6QfOZx2Ptp9HxCVoevTxhKzMzV6xeYXao0oCngRWJRb4Tvive1iBAXLzrHlLg6jKwNKXrct0tJuA2TvWIRVIng6UoffIbCQLPbi63PwmWemOxVi6m3CPa6hCbAK2CaBR1jLux7UJa4WNN4H0yIDMElMglWWouY5m5FUqAn0afMmtErj0zkA2LMWxisZRES38XLoYycySmaBrIih5IixUsJFR0ei4uZ0IifgV5SnitoNzMusSQem9npObHuU2HKApneAjwnFdPSQZA9sRdSOE8agDI05P832mV1JIcOjsg0FgzxvSG7UEX0HdqBqp2jPOYYW0k5gGtmkiXWydRJfn9lGomxReUeqq2Aec69gplEM6a8aqH5TFgXrGK8jcaPISQlsKkMxJQ7Fp6fVDbmI59xCIvlk --\u003e\n```\nFor every response, length of the random strings will vary within a given range.\n\nThis idea originally came from [breach-mitigation-rails](https://github.com/meldium/breach-mitigation-rails/). Thanks team!\n\n## Warning\n\nAs said in breach-migration-rails, BREACH is complicated and wide-ranging attack and this module provides only PARTIAL protection. To secure your website or service wholly, you need to review BREACH paper and find proper way according to your own website or service.\n\n## Installation\n\nModule version | Nginx version\n--- | ---\n1.1.x | 1.10.1 or higher\n1.0.0 | 1.10.0 or earlier\n\nDownload nginx sources from [http://nginx.org](http://nginx.org) and unpack it.\n\nRun configure script with adding --add-module option with the directory where this module is extracted like this:\n```\n./configure --add-module=/path/to/nginx-length-hiding-filter-module\n```\nTo compile this module as dynamic module available in 1.9.11 or later, use `--add-dynamic-module` instead\n```\n./configure --add-dynamic-module=/path/to/nginx-length-hiding-filter-module\n```\nYou can add other options along with it. Then build and install.\n```\nmake\nsudo make install\n```\n\n## Configuration Directives\n\n\n### length_hiding\n\n* syntax: length_hiding on | off\n* default: off\n* context: http, server, location, if in location\n\nEnables or disables adding random generated HTML comment.\n\n### length_hiding_max\n\n* syntax: length_hiding_max size\n* default: 2048\n* context: http, server, location\n\nSets maximum length of random generated string used in HTML comment. The size should be within a range from 256 and 2048.\n\n### length_hiding_types\n\n* syntax: length_hiding_types \u003cmime_type\u003e [..]\n* default: text/html\n* context: http, server, location, if in location\n\nEnables adding random generated HTML comment to responses of the specified MIME types in addition to text/html. The special value * matches any MIME type. \n\n## Example Configuration\n\nEnable this module for specific location ('/hiding'). In this example, the length of random strings will be less than 1024.\n```\nserver {\n    listen       443 default_server deferred ssl http2;\n    server_name  example.com;\n    length_hiding_max 1024;\n\n    location /hiding {\n        length_hiding on;\n    }\n}\n```\n\nIf this module is built as dynamic module, do NOT forget including `load_module` line in nginx configuration.\n```\nload_module modules/ngx_http_length_hiding_filter_module.so;\n```\n\n## Services using this module\n\n* [Cacoo](https://cacoo.com/)\n* [Backlog](https://backlog.com/)\n* [Typetalk](https://typetalk.com/)\n* [Nulab Account](https://apps.nulab.com/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnulab%2Fnginx-length-hiding-filter-module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnulab%2Fnginx-length-hiding-filter-module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnulab%2Fnginx-length-hiding-filter-module/lists"}