Missing Referrer-Policy

Description

Referrer-Policy is an HTTP response header that specifies how much referrer information is included in requests originating from a site. Without a proper Referrer-Policy, an attacker could gain insight into a user’s navigation path or access sensitive URL parameters that might appear in the referrer. This allows malicious actors to track user behavior across different parts of the application or even collect tokens embedded in query strings. Moreover, the lack of control over referrer data could result in inadvertently exposing internal endpoints to third-party services or malicious domains. Ultimately, this security gap can be exploited to enhance reconnaissance efforts, enabling more targeted attacks or phishing campaigns.

Remediation

To mitigate this vulnerability, you should set a Referrer-Policy header in your server configuration or application settings. Popular choices include 'no-referrer', 'same-origin', or 'strict-origin-when-cross-origin', depending on privacy and functionality requirements. Make sure the policy is consistently applied across your entire application stack, including any reverse proxies or load balancers. Consider deploying a Web Application Firewall (WAF) or a network firewall rule to detect and block suspicious requests that might exploit or manipulate referrer information. Lastly, regularly review and update security headers as part of your overall hardening and patch management strategy to prevent misconfigurations and maintain robust protection.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification