By reading resources on the internet I got the impression that only BODY of the response is compressed because you need to read the 'Content-Encoding' header before you can decompress anything and if that was compressed, browser would not be able to decompress it.
Later, I am reading about CRIME attack which states:
CRIME <...> is a security exploit against secret web cookies
which implies that web cookies are also compressed, as otherwise, it would do no harm. But Cookies are sent in the headers, therefore some of the headers must be compressed.
I would like a clear answer on what parts of the HTTP response does the HTTP compression compress. Thanks.
EDIT: My misunderstanding came from confusing CRIME and BREACH.
CRIME focuses on TLS compression, which compresses headers with the body, so the cookies are included.
BREACH focuses on HTTP level compression, which doesn't talk about Cookies :)
Only the entity body (i.e. payload or representation) is compressed, per the RFC
The "Content-Encoding" header field indicates what content codings have been applied to the representation, beyond those inherent in the media type, and thus what decoding mechanisms have to be applied in order to obtain data in the media type referenced by the Content-Type header field. Content-Encoding is primarily used to allow a representation's data to be compressed without losing the identity of its underlying media type.