BREACH is likely a False Positive

cloud-gov · Feb 3, 2025 · 3835ce9 · 3835ce9
1 parent 08726fe
commit 3835ce9
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/_docs/compliance/domain-standards.md b/_docs/compliance/domain-standards.md
@@ -67,8 +67,9 @@ according to the [BREACH authors](https://breachattack.com), including the follo
 
 Since any modern web application framework should include CSRF token masking to mitigate BREACH,
 disabling compression is not necessary, and would badly impact all end users of cloud.gov. We
-suggest that you mitigate BREACH at the application level, or carry the finding as an operational
-requirement.
+suggest that you mitigate BREACH at the application level, and if the application-level mitigations
+are in place, denote the scanner finding as a false positive.
+
 
 ## DNSSEC