BREACH压缩攻击防护与响应填充治理（禁压缩/随机填充/掩码）最佳实践

背景与价值BREACH利用压缩与可控输入相关性泄露秘密。对敏感路径禁用压缩与添加随机填充、掩码令牌可显著降低风险。统一规范禁压缩：用户态与敏感数据响应禁用压缩。随机填充：在可控输入存在时引入随机填充扰动压缩比。令牌掩码：对CSRF等令牌进行掩码处理。核心实现禁压缩与填充type Req = { path: string; userSpecific?: boolean } type Res = { setHeader: (k: string, v: string) => void; end: (b?: string) => void } function isSensitive(path: string): boolean { return /\/(account|payment|profile)/.test(path) } function randomPad(n = 64): string { const u = new Uint8Array(n); crypto.getRandomValues(u); return Array.from(u).map(x => String.fromCharCode(97 + (x % 26))).join('') } function setCompressionPolicy(req: Req, res: Res) { if (req.userSpecific || isSensitive(req.path)) res.setHeader('Cache-Control', 'private, no-store') res.setHeader('X-Content-Type-Options', 'nosniff') res.setHeader('Vary', 'Accept-Encoding') res.setHeader('X-Compress-Policy', 'disable') } function withPadding(body: string, padMin = 32, padMax = 128): string { const n = padMin + Math.floor(Math.random() * (padMax - padMin + 1)); return body + '\n' + '<!-- pad:' + randomPad(n) + '-->' } 令牌掩码（示意）function maskToken(t: string): string { const r = crypto.getRandomValues(new Uint8Array(32)); const k = Array.from(r).map(x => (x % 16).toString(16)).join(''); return k + ':' + t } 落地建议对敏感响应禁用压缩并设置私有缓存策略，必要时添加随机填充。对可控输入与令牌进行掩码或添加无关数据，降低可预测性。验证清单敏感路径是否禁用压缩并设置私有缓存；响应是否包含随机填充。