When Compression Hurts — Already Compressed Files

When Not to Compress: Already-Compressed Content

Gzip compression is not always beneficial. For certain file types, compression wastes server CPU and can actually increase the file size.

Files That Should NOT Be Compressed

File Type	Extensions	Why Not
JPEG images	.jpg, .jpeg	Already DCT-compressed
PNG images	.png	Already DEFLATE-compressed
WebP images	.webp	Already compressed
GIF images	.gif	Already LZW-compressed
MP4/WebM video	.mp4, .webm	Already codec-compressed
MP3/AAC audio	.mp3, .aac	Already codec-compressed
ZIP/RAR archives	.zip, .rar, .gz	Already compressed
WOFF2 fonts	.woff2	Already Brotli-compressed

What Happens When You Compress Compressed Data

When gzip encounters already-compressed data, it:

1. Cannot find patterns (compressed data appears random)
2. Adds overhead (gzip headers, checksums)
3. Wastes CPU cycles scanning for non-existent patterns

Result: output is the same size or larger than input.

The 1 KB Threshold

For very small files (under ~1 KB), gzip overhead can exceed savings:

100-byte input  → ~120 bytes gzipped (20% LARGER)
500-byte input  → ~480 bytes gzipped (4% savings)
1000-byte input → ~700 bytes gzipped (30% savings)
5000-byte input → ~2000 bytes gzipped (60% savings)

Correct nginx Configuration

gzip on;
gzip_min_length 1024;  # Skip files under 1 KB
gzip_types
  text/plain
  text/css
  text/javascript
  application/javascript
  application/json
  application/xml
  image/svg+xml;       # SVG is text-based, compresses well
# Note: image/jpeg, image/png, etc. are NOT included

The BREACH Attack Consideration

Beyond inefficiency, compressing HTTPS responses that contain both secrets (CSRF tokens) and user-controllable content can be exploited by the BREACH attack. This is a security reason to be selective about what you compress.