From 1bfd7efb44eaabbc2cc8a9fb76297a3f9cb935bb Mon Sep 17 00:00:00 2001
From: James Rodewig <james.rodewig@elastic.co>
Date: Wed, 20 May 2020 12:11:49 -0400
Subject: [PATCH] [DOCS] Fix default for `http.compression` setting (#56899)

Elasticsearch enables HTTP compression by default. However, to mitigate
potential security risks like the BREACH attack, compression is disabled by
default if HTTPS is enabled.

This updates the `http.compression` setting definition accordingly and adds
additional context.

Co-authored-by: Leaf-Lin <39002973+Leaf-Lin@users.noreply.github.com>
---
 docs/reference/modules/http.asciidoc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/reference/modules/http.asciidoc b/docs/reference/modules/http.asciidoc
index e1d911e306289..5dac0df2b5c7b 100644
--- a/docs/reference/modules/http.asciidoc
+++ b/docs/reference/modules/http.asciidoc
@@ -47,7 +47,12 @@ to `4kb`
 
 
 |`http.compression` |Support for compression when possible (with
-Accept-Encoding). Defaults to `true`.
+Accept-Encoding). If HTTPS is enabled, defaults to `false`. Otherwise, defaults
+to `true`.
+
+Disabling compression for HTTPS mitigates potential security risks, such as a
+https://en.wikipedia.org/wiki/BREACH[BREACH attack]. To compress HTTPS traffic,
+you must explicitly set `http.compression` to `true`.
 
 |`http.compression_level` |Defines the compression level to use for HTTP responses. Valid values are in the range of 1 (minimum compression)
 and 9 (maximum compression). Defaults to `3`.