[Audit] actix: /compression uses default gzip level (6) instead of required level 1 #73
Description
Violation
File: frameworks/actix/src/main.rs
Endpoint: /compression
What it does
The actix implementation uses actix_web::middleware::Compress::default() (line in App::new().wrap(...)) for gzip compression. The Compress::default() constructor uses flate2's default compression level, which is level 6.
App::new()
.wrap(actix_web::middleware::Compress::default())What the spec requires
The test profile specifies:
Must use gzip level 1 (fastest)
Suggested fix
Configure the compress middleware to use level 1. With actix-web's Compress middleware, you need to set the quality level explicitly. One approach:
use actix_web::middleware::Compress;
use flate2::Compression;
// actix-web does not directly expose compression level on Compress middleware,
// so you may need to implement a custom encoding wrapper or use the
// content_encoding_negotiation feature with explicit quality settings.Alternatively, implement manual gzip compression using flate2::write::GzEncoder with Compression::fast() (level 1) and return the pre-compressed bytes with the appropriate Content-Encoding: gzip header.
Additional note (gray area)
The /compression endpoint also pre-computes totals and pre-serializes the JSON at startup via build_json_cache(). The spec says "Compute total field for each item, serialize to JSON" which could be interpreted as requiring per-request computation. However, the compression itself happens per-request via the middleware, so this is borderline — flagging it for awareness but not calling it a hard violation.
(Same gray area pattern as go-fasthttp, see #66)