diff --git a/CHANGELOG b/CHANGELOG
index 0b850566921f4aa939a957785717c345a3165bf5..e5444df94d0f1a9b1c799a864ca1f173c7a10086 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -189,19 +189,11 @@ in the server block, then reload your nginx server::
         gzip_vary          on;
 
         gzip_types
-            application/atom+xml
             application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
             application/vnd.geo+json
             application/vnd.ms-fontobject
             application/x-font-ttf
             application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
             font/opentype
             image/bmp
             image/svg+xml
diff --git a/changes/changelog.d/678.bugfix b/changes/changelog.d/678.bugfix
new file mode 100644
index 0000000000000000000000000000000000000000..ba508bb879718f382c26d899e0d224585871f934
--- /dev/null
+++ b/changes/changelog.d/678.bugfix
@@ -0,0 +1 @@
+Removed potential BREACH exploit because of Gzip compression (#678)
diff --git a/changes/notes.rst b/changes/notes.rst
index 8e54adf8b0fd3249227937913a3a1ab7ec34d405..1276dd010b33d74da0ef0ff9c87da11133835122 100644
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -6,6 +6,49 @@ Next release notes
     Those release notes refer to the current development branch and are reset
     after each release.
 
+Fix Gzip compression to avoid BREACH exploit [security] [manual action required]
+--------------------------------------------------------------------------------
+
+In the 0.18 release, we've enabled Gzip compression by default for various
+content types, including HTML and JSON. Unfortunately, enabling Gzip compression
+on such content types could make BREACH-type exploits possible.
+
+We've removed the risky content-types from our nginx template files, to ensure new
+instances are safe, however, if you already have an instance, you need
+to double check that your host nginx virtualhost do not include the following
+values for the ``gzip_types`` settings::
+
+   application/atom+xml
+   application/json
+   application/ld+json
+   application/activity+json
+   application/manifest+json
+   application/rss+xml
+   application/xhtml+xml
+   application/xml
+
+For convenience, you can also replace the whole setting with the following snippet::
+
+   gzip_types
+      application/javascript
+      application/vnd.geo+json
+      application/vnd.ms-fontobject
+      application/x-font-ttf
+      application/x-web-app-manifest+json
+      font/opentype
+      image/bmp
+      image/svg+xml
+      image/x-icon
+      text/cache-manifest
+      text/css
+      text/plain
+      text/vcard
+      text/vnd.rim.location.xloc
+      text/vtt
+      text/x-component
+      text/x-cross-domain-policy;
+
+
 Fix Apache configuration file for 0.18 [manual action required]
 ----------------------------------------------------------
 
@@ -39,4 +82,3 @@ In case you are using custom css and theming, you also need to match this block:
 
    ProxyPass "/custom" "!"
    Alias /custom /srv/funkwhale/custom
-
diff --git a/deploy/docker.proxy.template b/deploy/docker.proxy.template
index c4f89057defa8b4142d73dd737e80b238259819a..0fbed2f73d6015a817b878673cbdd15de0718154 100644
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@@ -37,19 +37,11 @@ server {
     gzip_vary          on;
 
     gzip_types
-        application/atom+xml
         application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
         application/vnd.geo+json
         application/vnd.ms-fontobject
         application/x-font-ttf
         application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
         font/opentype
         image/bmp
         image/svg+xml
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 125397ea308a9ddaaaef562798b06a18d9bd9181..7cdee70f48c320bc6e7ef1796c6a13b0d82b53f7 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -51,19 +51,11 @@ server {
     gzip_vary          on;
 
     gzip_types
-        application/atom+xml
         application/javascript
-        application/json
-        application/ld+json
-        application/activity+json
-        application/manifest+json
-        application/rss+xml
         application/vnd.geo+json
         application/vnd.ms-fontobject
         application/x-font-ttf
         application/x-web-app-manifest+json
-        application/xhtml+xml
-        application/xml
         font/opentype
         image/bmp
         image/svg+xml
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index ecb1c1d0c57293da2681d1254ec3cc960a8dbd17..50c3cbc2ef47f19b96f0c1716f933c61398e59c3 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -51,19 +51,11 @@ http {
         gzip_vary          on;
 
         gzip_types
-            application/atom+xml
             application/javascript
-            application/json
-            application/ld+json
-            application/activity+json
-            application/manifest+json
-            application/rss+xml
             application/vnd.geo+json
             application/vnd.ms-fontobject
             application/x-font-ttf
             application/x-web-app-manifest+json
-            application/xhtml+xml
-            application/xml
             font/opentype
             image/bmp
             image/svg+xml