Referrer-Policy Header is Missing
Impact: Informational
Description
The Referrer-Policy
HTTP header controls how much referrer information (sent via the Referer
header) should be included with requests. Mozilla
The Referer
(sic) header contains the address of the previous web page from which a link to the currently requested page was followed, which has lots of fairly innocent uses including analytics, logging, or optimized caching. However, there are more problematic uses such as tracking or stealing information, or even just side effects such as inadvertently leaking sensitive information. Mozilla
Recommendation
Configure your server to send the Referrer-Policy
header for all pages with the value set to strict-origin-when-cross-origin
. You can see references for other possible values.
References
👉 You might also like:
Content-Security-Policy Header is Missing - Vulnerability
Strict-Transport-Security Header is Missing - Vulnerability
X-Content-Type-Options Header is Missing - Vulnerability
X-Frame-Options Header is Missing - Vulnerability
Last updated on February 15, 2021