What are you Referrer-ing to?
Intro
Continuing on from my previous blog about website security week, we're going to talk about a Referrers on the web.
Referrers on the web allow sites you are visiting to see what site you have come from, as the Referer
header (it is actually mispelled in the HTTP Specification) contains a absolute or partial url of the site you've come from if you have followed a link. This is commonly used for tracking and analytics, but it can also be used to steal information for example that contained in the URL of a reset password page or where a token is part of the URL, which is why it comes under security headers.
Referrer-Policy
This header indicates how much information can be shared in the Referer
header on requests made across your site.
Recommended setting:
Referrer-Policy: no-referrer
You can read about it more on Modzilla.
It can also be set in HTML as a meta tag <meta name="referrer" content="origin">
, but also on individual links.
Linking
Links aka <a>
tags can include a more specific referrer policy than your site wide one you set using the previous header.
This can be controlled using the referrerpolicy
attribute, for example:
This can also be used on <a>
, <area>
, <img>
, <iframe>
, <script>
, or <link>
elements.
Or alternatively using the rel
attribute to remove any referrer, this would be my recommended pattern.
This can also be used on <a>
, <area>
or <link>
elements.
Bonus: Server header
As this is a fairly short and sweet blog I thought I would include a bonus header!
The Server
header, this is usually used to indicate what is serving up your website. Often a form of advertising about the technology you are using.
This can often include the version of the tools used to serve your website. You should avoid this and including any default information in this header as it could lead to vulnerabilities being found in that version of the tool.
I would recommend removing the header if possible or overriding it with your own value, as then no information is leaked!
Summary
In summary, setting a few additional headers when serving up your site can in this case also the privacy of your users and reduce any leakage of information to third parties. It reduces the amount of attack surface there is for attackers and prevent common attacks on websites.
Set those headers now!
Happy Building!