I know that enabling http compression would make a server vulnerable to the BREACH attacks. So we have disabled compression from the server side, tested and it was all good.
Then we implemented CloudFlare for the instance. We performed the SSL security scan again and found that the application is using gzip and so it is vulnerable to BREACH. From a detailed inspection we identified that the compression is enabled by CloudFlare.
Then, in the next step, we disabled the Brotli compression offered by CloudFlare. But during testing, the scanner again detected compression. Now we are stuck. I understand that browser to CloudFlare traffic is compressed with Brotli and CloudFlare --> Server will remain uncompressed (since we have disabled gzip from the server side). Does this actually mitigate the BREACH attack issue?