On Aug 12, 2013, at 21:32 , offmind wrote: > And what if we are using gzip_static? > As far as I understand, we have to block gzipping page code. But what about > .js .css with no secure content? Statically gzipped files do not depend on user input so they are not subject to BREACH. -- Igor Sysoev http://nginx.com/services.html