[1] HTTP data is compressed before it is sent from the server: compliant browsers will announce what methods are supported to the server before downloading the correct format; browsers that do not support compliant compression method will download uncompressed data.
At a higher level, a Content-Encoding header field may indicate that a resource being transferred, cached, or otherwise referenced is compressed.
The web client advertises which compression schemes it supports by including a list of tokens in the HTTP request.
If this is the case, the server will add a Content-Encoding or Transfer-Encoding field in the HTTP response with the used schemes, separated by commas.
The official list of tokens available to servers and client is maintained by IANA,[4] and it includes: In addition to these, a number of unofficial or non-standardized tokens are used in the wild by either servers or clients: Many content delivery networks also implement HTTP compression to improve speedy delivery of resources to end users.
A 2009 article by Google engineers Arvind Jain and Jason Glasgow states that more than 99 person-years are wasted[18] daily due to increase in page load time when users do not receive compressed content.
A BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link.