From ef7231039a471ba57705e032519b1a34d7b78e81 Mon Sep 17 00:00:00 2001
From: Leaf-Lin <39002973+Leaf-Lin@users.noreply.github.com>
Date: Thu, 21 May 2020 01:53:10 +1000
Subject: [PATCH] [DOCS] Fix default for `http.compression` setting (#56899)

Elasticsearch enables HTTP compression by default. However, to mitigate
potential security risks like the BREACH attack, compression is disabled by
default if HTTPS is enabled.

This updates the `http.compression` setting definition accordingly and adds
additional context.
---
 docs/reference/modules/http.asciidoc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/reference/modules/http.asciidoc b/docs/reference/modules/http.asciidoc
index c79ef07f11ec1..5f968d74d7db9 100644
--- a/docs/reference/modules/http.asciidoc
+++ b/docs/reference/modules/http.asciidoc
@@ -48,7 +48,12 @@ to `4kb`
 
 
 |`http.compression` |Support for compression when possible (with
-Accept-Encoding). Defaults to `true`.
+Accept-Encoding). If HTTPS is enabled, defaults to `false`. Otherwise, defaults
+to `true`.
+
+Disabling compression for HTTPS mitigates potential security risks, such as a
+https://en.wikipedia.org/wiki/BREACH[BREACH attack]. To compress HTTPS traffic,
+you must explicitly set `http.compression` to `true`.
 
 |`http.compression_level` |Defines the compression level to use for HTTP responses. Valid values are in the range of 1 (minimum compression)
 and 9 (maximum compression). Defaults to `3`.