Practical Security Guides For Your Team

Your web server is compressing responses using gzip or Brotli, which is a common performance feature. However, a known attack technique called BREACH can exploit this compression to gradually piece together sensitive data — like login tokens or session cookies — from your encrypted traffic. Importantly, this only becomes a real risk if your site also reflects user input and serves secrets (like security tokens) in the same page response.

Your application uses an outdated version of Axios, a popular tool that helps your app communicate with other services over the internet. Due to a bug in this version, a special security token — designed to protect your users from a type of attack where a malicious website tricks their browser into taking actions on your site — is accidentally sent to any external server your app talks to, not just your own. Think of it like a master key being slipped under every door in the building instead of just your own front door.