add ENABLE_RESPONSE_COMPRESSION option (#919)

tylanderson · web-flow · commit 6b9fc1fa3557 · 2025-07-02T17:48:05.000Z
* add ENABLE_RESPONSE_COMPRESSION option

* add note on compression to README

* add audit exceptions with expiry

* update changelog
diff --git a/.nsprc b/.nsprc
@@ -0,0 +1,12 @@
+{
+  "1105443": {
+    "active": true,
+    "notes": "Ignored, check back for updated deps",
+    "expiry": "2026-05-01"
+  },
+  "1105444": {
+    "active": true,
+    "notes": "Ignored, check back for updated deps",
+    "expiry": "2026-05-01"
+  }
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [Unreleased] - Unreleased
+
+### Changed
+
+- Compression is enabled by default, can be disabled by setting
+  `ENABLE_RESPONSE_COMPRESSION` to `false`. If using post-hooks, you must update
+  to hooks to handle compression or disable compression.
+
 ## [4.2.0] - 2025-05-05
 
 ### Added
diff --git a/README.md b/README.md
@@ -609,9 +609,10 @@ There are some settings that should be reviewed and updated as needeed in the se
 | CORS_CREDENTIALS                 | Configure whether or not to send the `Access-Control-Allow-Credentials` CORS header. Header will be sent if set to `true`.                                                                                                                                                      | none                                                                                 |
 | CORS_METHODS                     | Configure whether or not to send the `Access-Control-Allow-Methods` CORS header. Expects a comma-delimited string, e.g., `GET,PUT,POST`.                                                                                                                                        | `GET,HEAD,PUT,PATCH,POST,DELETE`                                                     |
 | CORS_HEADERS                     | Configure whether or not to send the `Access-Control-Allow-Headers` CORS header. Expects a comma-delimited string, e.g., `Content-Type,Authorization`. If not specified, defaults to reflecting the headers specified in the request’s `Access-Control-Request-Headers` header. | none                                                                                 |
-| ENABLE_COLLECTIONS_AUTHX         | Enables support for hidden `_collections` query parameter / field when set to `true`.                                                                                                                                                                                                              | none (not enabled)                                                                                 |
-| ENABLE_THUMBNAILS         | Enables support for presigned thumbnails.                                                                                                                                                                                                              | none (not enabled)                                                                                |
-| ENABLE_INGEST_ACTION_TRUNCATE         | Enables support for ingest action "truncate".                                                                                                                                                                                                              | none (not enabled)                                                                                |
+| ENABLE_COLLECTIONS_AUTHX         | Enables support for hidden `_collections` query parameter / field when set to `true`.                                                                                                                                                                                           | none (not enabled)                                                                   |
+| ENABLE_THUMBNAILS                | Enables support for presigned thumbnails.                                                                                                                                                                                                                                       | none (not enabled)                                                                   |
+| ENABLE_INGEST_ACTION_TRUNCATE    | Enables support for ingest action "truncate".                                                                                                                                                                                                                                   | none (not enabled)                                                                   |
+| ENABLE_RESPONSE_COMPRESSION      | Enables response compression. Set to 'false' to disable.                                                                                                                                                                                                                        | enabled                                                                              |
 
 Additionally, the credential for OpenSearch must be configured, as decribed in the
 section [Populating and accessing credentials](#populating-and-accessing-credentials).
@@ -1293,6 +1294,10 @@ The post-hook Lambda configuration may reference any Lambda, not only one deploy
 of this stack. There is an example post-hook Lambda that can be included with this stack,
 which provides an example of how to interact with the response, but does not modify it.
 
+If compression is enabled with `ENABLE_RESPONSE_COMPRESSION`, you should ensure that the
+post-hook deployed handles compressed responses, or for the example post-hook lambda,
+disable compression.
+
 To enable this example post-hook:
 
 - Modify bin/build.sh to not exclude the "post-hook" package from being built.
diff --git a/bin/system-tests.sh b/bin/system-tests.sh
@@ -8,6 +8,7 @@ export AWS_ACCESS_KEY_ID='none'
 export AWS_SECRET_ACCESS_KEY='none'
 export ENABLE_TRANSACTIONS_EXTENSION=true
 export REQUEST_LOGGING_ENABLED=false
+# export ENABLE_RESPONSE_COMPRESSION=false
 
 echo "Running tests"
 set +e
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -59,6 +59,7 @@
     "@mapbox/extent": "^0.4.0",
     "@opensearch-project/opensearch": "^2.13.0",
     "@redocly/cli": "^1.34.2",
+    "compression": "^1.8.0",
     "cors": "^2.8.5",
     "express": "^4.21.2",
     "got": "^13.0",
diff --git a/src/lambdas/api/app.js b/src/lambdas/api/app.js
@@ -1,6 +1,7 @@
 import cors from 'cors'
 import createError from 'http-errors'
 import express from 'express'
+import compression from 'compression'
 import morgan from 'morgan'
 import path from 'path'
 import { fileURLToPath } from 'url'
@@ -47,6 +48,10 @@ app.use(cors({
 
 app.use(express.json({ limit: '1mb' }))
 
+if (process.env['ENABLE_RESPONSE_COMPRESSION'] !== 'false') {
+  app.use(compression())
+}
+
 app.use(addEndpoint)
 
 app.get('/', async (req, res, next) => {
diff --git a/tests/system/test-api-get-root.js b/tests/system/test-api-get-root.js
@@ -99,3 +99,13 @@ test('GET / returns links with the correct endpoint if `X-STAC-Endpoint` is set'
   t.not(apiLink, undefined)
   t.is(apiLink.href, `${url}/api`)
 })
+
+test('GET / returns a compressed response if ENABLE_RESPONSE_COMPRESSION', async (t) => {
+  const response = await t.context.api.client.get('', { resolveBodyOnly: false })
+
+  if (process.env['ENABLE_RESPONSE_COMPRESSION'] !== 'false') {
+    t.is(response.headers['content-encoding'], 'br')
+  } else {
+    t.true(response.headers['content-encoding'] === undefined)
+  }
+})
