HTTP Gzip, Deflate, and Brotli: Compression Encoding for Web Developers

HTTP defines two separate headers for encoding: Content-Encoding and Transfer-Encoding, and confusing them is a common source of bugs. Content-Encoding describes a transformation applied to the message body before transmission and is end-to-end — it travels with the message all the way to the final recipient. When a server sends Content-Encoding: gzip, the client must decompress the body to get the original content. Proxies and CDNs must preserve and forward this header unchanged.

Transfer-Encoding describes a transformation applied for a single network hop and is removed by each node that processes it. Transfer-Encoding: chunked, for example, is used to stream a response of unknown length. It is stripped by the first HTTP proxy or load balancer and never reaches the browser. Transfer-Encoding: gzip (as a hop-by-hop encoding) is almost never used in practice — nearly all HTTP compression uses Content-Encoding.

The practical difference matters when you have a reverse proxy in front of your application. If your application sets Transfer-Encoding: gzip instead of Content-Encoding: gzip, nginx will strip the Transfer-Encoding header and forward the raw compressed bytes to the browser without the Content-Encoding header that tells the browser how to decompress them. The browser receives garbled binary data instead of readable JSON or HTML.

Brotli (the 'br' encoding value) is a modern compression algorithm developed by Google, standardized in RFC 7932. Brotli achieves 15-20% better compression ratios than gzip on typical web assets (HTML, CSS, JavaScript) while maintaining similar or better decompression speed. It is supported in all modern browsers. However, Brotli is computationally more expensive to compress at maximum quality, making it more suitable for pre-compressed static assets than for on-the-fly compression of dynamic API responses where you would use a lower quality level (quality 4-6 instead of the maximum 11).

The fastest way to diagnose compression issues is with curl: curl -v -H 'Accept-Encoding: gzip, br' https://yourapi.com/endpoint --output /tmp/response. The -v flag shows the response headers, and --output saves the body to a file. Check the response headers for Content-Encoding. If it shows 'gzip' or 'br', the body is compressed. If you see garbled characters in the response body when piping to a terminal, that confirms binary compressed data is being received without decompression.

For double-compression issues, compare the response body size with and without the Accept-Encoding header. If the response is larger when Accept-Encoding is included, the body may be getting compressed twice. Verify by decompressing once: if the result is still binary rather than readable text, decompress again. Double-compressed responses are typically caused by a reverse proxy (nginx, Cloudflare, AWS ALB) compressing a response that your application already compressed.

For 'incorrect header check' errors in zlib.gunzip(), the compressed data may have been corrupted in transit, or the encoding may be deflate rather than gzip. Gzip and deflate both use the deflate algorithm internally, but gzip wraps it in an additional header and CRC checksum. The two are not interchangeable. Node.js zlib.createGunzip() handles gzip; zlib.createInflate() or zlib.createInflateRaw() handles deflate. The 'deflate' Content-Encoding value in HTTP actually uses the zlib format (RFC 1950), not raw deflate — a historical confusion in the HTTP specification.

For the Vary header issue, use your CDN's cache inspection tool or curl with --header 'Accept-Encoding:' (empty) vs '--header 'Accept-Encoding: gzip' and compare the responses. If both return the same compressed content, the CDN is not respecting Vary: Accept-Encoding and is serving compressed responses to clients that did not request compression.

For Express applications, use the compression npm package (maintained by the Express team). It automatically handles Accept-Encoding negotiation, sets Content-Encoding, and adds Vary: Accept-Encoding. Install with npm install compression and add app.use(compression()) before your routes. The default threshold is 1024 bytes — responses smaller than 1 KB are not compressed. For Brotli support in Express, use the shrink-ray-current or express-static-gzip packages.

For Node.js core HTTP servers, use zlib.createGzip() or zlib.createBrotliCompress() as Transform streams. The key pattern is: check req.headers['accept-encoding'] for the supported encoding, create the appropriate compressor, pipe the compressor to res (the response stream), and write your data to the compressor. Do not set Content-Length when using streaming compression because the compressed size is not known in advance — let the HTTP chunked transfer encoding handle framing.

For pre-compressing static assets, generate both gzip (.gz) and Brotli (.br) versions during your build process. With webpack, use CompressionWebpackPlugin with both gzip and brotli configurations. With Vite, the vite-plugin-compression plugin supports both formats. Serve them with nginx using the gzip_static and brotli_static directives, which serve .gz and .br files directly when the client supports them, avoiding runtime compression CPU overhead entirely.

For Fastify, use the @fastify/compress plugin which supports gzip, deflate, and Brotli out of the box with content-type filtering (you typically do not want to compress already-compressed formats like JPEG). The plugin automatically adds Vary: Accept-Encoding and handles content negotiation according to RFC 7231 quality values in the Accept-Encoding header.

A gzip bomb (also called a zip bomb or decompression bomb) is a small compressed file that expands to an enormous size when decompressed, causing memory exhaustion or disk fill-up. A classic example is a 1 MB gzip file that expands to 1 GB or more of repeated null bytes. Protect against gzip bombs in Node.js by limiting the decompressed size: create a counter that increments in the 'data' event handler and close the stream if it exceeds your limit (typically 10-50 MB for API requests). The gunzip stream's error event fires if the compressed data is malformed but not if it is simply enormous.

Never attempt to compress already-compressed data formats. JPEG, PNG, WebP, AVIF, MP3, MP4, ZIP, PDF, and WebAssembly files are already compressed internally. Applying gzip to them typically increases the file size by 1-5% due to gzip's own headers and the entropy of compressed data being near-random. The compression middleware in Express uses a content-type filter to avoid this: it only compresses text/html, application/json, text/css, application/javascript, and similar text-based types.

Streaming large responses requires special handling. If you are streaming a database query result as JSON (using a streaming JSON serializer like @fastify/response-serialization or jsonstream), pipe it through a gzip compressor before the response. The zlib streams are Node.js Transform streams and work naturally in the pipe chain: dbStream.pipe(jsonStringifier).pipe(zlib.createGzip()).pipe(res). Set Transfer-Encoding: chunked (which is the default for streamed responses in HTTP/1.1) and Content-Encoding: gzip, but do not set Content-Length.

HTTP/2 changes the picture slightly. HTTP/2 uses binary framing and HPACK header compression for headers, which is separate from Content-Encoding compression of the body. HTTP/2 still supports the same Content-Encoding values (gzip, br, deflate) for body compression. However, HTTP/2 cannot use Transfer-Encoding: chunked — it uses its own DATA frame mechanism for streaming. Most HTTP/2 implementations handle this transparently, but if you are writing low-level HTTP/2 code, be aware that Transfer-Encoding is not a valid HTTP/2 header.

Compressing small responses is a common premature optimization that wastes CPU. Compressing a 200-byte JSON error response takes more CPU time than the savings from network transfer, especially on localhost or local network connections where bandwidth is not the bottleneck. The compression middleware default threshold of 1024 bytes is a reasonable starting point. Profile your response size distribution before adjusting the threshold.

Not invalidating the CDN cache after changing compression settings is a production incident waiting to happen. If you enable gzip on a server and the CDN does not have Vary: Accept-Encoding in the cached response, the CDN may serve the uncompressed cached version to new clients, ignoring the new compression. Similarly, if you disable compression, the CDN may serve stale compressed responses. Always add Vary: Accept-Encoding before enabling compression, and purge the CDN cache when changing compression settings.

Using the wrong Accept-Encoding quality values in client code. The Accept-Encoding header supports quality values (q=0-1) to indicate preference order: Accept-Encoding: br;q=1.0, gzip;q=0.8, identity;q=0.6. If you set a quality value of 0 for identity (uncompressed), some servers interpret this as refusing to serve uncompressed responses and may return a 406 Not Acceptable error. Avoid setting identity;q=0 unless you are certain all servers support the required encoding.

Assuming all clients support decompression is incorrect for programmatic HTTP clients. curl decompresses gzip when you pass the --compressed flag but not by default. Python's requests library decompresses gzip automatically. Go's net/http client decompresses gzip automatically but removes the Content-Encoding header afterward, which surprises developers expecting to check the header. Always test your compression implementation with both a browser and at least one programmatic HTTP client.

Use Brotli for pre-compressed static assets and gzip for dynamic API responses. Brotli at quality level 11 (maximum) achieves the best compression ratios but is 100x slower to compress than gzip. For build-time pre-compression of JavaScript bundles and CSS, the extra compression time is acceptable. For on-the-fly compression of API responses, use gzip (zlib.Z_DEFAULT_COMPRESSION) or Brotli at quality 4-6, which compresses in milliseconds.

Always set Vary: Accept-Encoding when serving compressed content. This tells CDNs and intermediate caches to store separate versions of the response for different Accept-Encoding values. Without this header, a CDN that caches a gzip-compressed response may serve it to a client that did not include Accept-Encoding: gzip, resulting in undecodable binary data.

Measure compression ratios for your actual content. Typical compression ratios: JSON API responses achieve 3-5x compression (gzip) and 3.5-6x (Brotli). HTML with inline CSS achieves 5-10x. Minified JavaScript achieves 2-3x. Database exports in CSV format can achieve 10-20x. Pre-compressed binary formats (JPEG, ZIP, WebAssembly) achieve less than 1x (actually increase in size). Use these ratios to calculate the bandwidth savings vs CPU cost tradeoff for your workload.

For Content-Security-Policy and compression, be aware of the BREACH attack (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext). BREACH exploits HTTP compression to infer parts of a secret (like a CSRF token) in a response by observing compressed response sizes. Mitigations include: length hiding (padding responses to fixed sizes), CSRF token rotation, or disabling compression for responses that include user-controlled content alongside secrets. The Express csrf protection pattern of using synchronizer tokens is generally sufficient.