BREACH attack against compressed TLS
If you haven't been following the email thread on this.
There is a new vulnerability for leaking secrets that are constantly transferred over compressed HTTPS. With a MITM observing HTTPS traffic, the person in the middle can secrets (eg – XSRF tokens) using several thousand requests to the server with TLS and compression enabled.
For rails (This is not a guaranteed fix): https://github.com/meldium/breach-mitigation-rails
For django: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
Like some PDF thing explaining it? http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
This is a derived attack of CRIME, where it is possible to inject data into a compressed TLS request using the same technique.
Disabling compression resolves this attack, at a significant performance hit.