Comment on disabling compression when using HTTPS (#123877)

The lack of context here left me at a dead end. I didn't RTFM otherwise
I would have discovered #56899 added this info there, but for the sake
of future code-readers I'm adding the same info here.

Author: DaveCTurner

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpSettings.java

@@ -16,6 +16,12 @@ public final class SecurityHttpSettings {
     private SecurityHttpSettings() {}
 
     public static void overrideSettings(Settings.Builder settingsBuilder, Settings settings) {
+        // HTTP response compression over TLS risks side-channel vulnerabilities such as BREACH[1] if ES is used in very specific ways. We
+        // cannot be sure that ES is not being used in such a manner here, so we disable compression by default when TLS is enabled for the
+        // REST layer and rely on the user explicitly setting `http.compression: true` to confirm that they do not have a vulnerable
+        // usage pattern.
+        //
+        // [1] https://www.breachattack.com/
         if (HTTP_SSL_ENABLED.get(settings) && SETTING_HTTP_COMPRESSION.exists(settings) == false) {
             settingsBuilder.put(SETTING_HTTP_COMPRESSION.getKey(), false);
         }