diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpSettings.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpSettings.java
index 2c2a9bad4d560..5d8f46b9405e2 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpSettings.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpSettings.java
@@ -16,6 +16,12 @@ public final class SecurityHttpSettings {
     private SecurityHttpSettings() {}
 
     public static void overrideSettings(Settings.Builder settingsBuilder, Settings settings) {
+        // HTTP response compression over TLS risks side-channel vulnerabilities such as BREACH[1] if ES is used in very specific ways. We
+        // cannot be sure that ES is not being used in such a manner here, so we disable compression by default when TLS is enabled for the
+        // REST layer and rely on the user explicitly setting `http.compression: true` to confirm that they do not have a vulnerable
+        // usage pattern.
+        //
+        // [1] https://www.breachattack.com/
         if (HTTP_SSL_ENABLED.get(settings) && SETTING_HTTP_COMPRESSION.exists(settings) == false) {
             settingsBuilder.put(SETTING_HTTP_COMPRESSION.getKey(), false);
         }