What are you Referrer-ing to?

Contents

  1. Intro
  2. Referrer-Policy
  3. Linking
  4. Bonus: Server header
  5. Summary

Intro

Continuing on from my previous blog about website security week, we're going to talk about a Referrers on the web.

Referrers on the web allow sites you are visiting to see what site you have come from, as the Referer header (it is actually mispelled in the HTTP Specification) contains a absolute or partial url of the site you've come from if you have followed a link. This is commonly used for tracking and analytics, but it can also be used to steal information for example that contained in the URL of a reset password page or where a token is part of the URL, which is why it comes under security headers.

Referrer-Policy

This header indicates how much information can be shared in the Referer header on requests made across your site.

Recommended setting:

Referrer-Policy: no-referrer

You can read about it more on Modzilla.

It can also be set in HTML as a meta tag <meta name="referrer" content="origin">, but also on individual links.

Linking

Links aka <a> tags can include a more specific referrer policy than your site wide one you set using the previous header.

This can be controlled using the referrerpolicy attribute, for example:

<a href="http://example.com" referrerpolicy="origin">

This can also be used on <a>, <area>, <img>, <iframe>, <script>, or <link> elements.

Or alternatively using the rel attribute to remove any referrer, this would be my recommended pattern.

<a href="http://example.com" rel="noreferrer">

This can also be used on <a>, <area> or <link> elements.

Bonus: Server header

As this is a fairly short and sweet blog I thought I would include a bonus header!

The Server header, this is usually used to indicate what is serving up your website. Often a form of advertising about the technology you are using.

This can often include the version of the tools used to serve your website. You should avoid this and including any default information in this header as it could lead to vulnerabilities being found in that version of the tool.

I would recommend removing the header if possible or overriding it with your own value, as then no information is leaked!

Summary

In summary, setting a few additional headers when serving up your site can in this case also the privacy of your users and reduce any leakage of information to third parties. It reduces the amount of attack surface there is for attackers and prevent common attacks on websites.

Set those headers now!

Happy Building!

These are webmentions powered by webmention.io