Referrer-Policy Header is Missing

Description

The Referrer-Policy HTTP header controls the amount of referrer information (sent via the Referer header) included with requests. The Referer header contains the address of the previous web page from which a link to the currently requested page was followed. While it has many legitimate uses such as analytics and logging, it can also pose privacy and security risks if not handled properly.

Recommendation

Configure your server to send the Referrer-Policy header for all pages with the value set to strict-origin-when-cross-origin. This policy ensures that the full URL is included as a referrer when navigating within the same origin, while only sending the origin when navigating from one origin to another. You can explore other possible values based on your specific requirements and security considerations.

References

• Mozilla: Referrer-Policy
• Mozilla: Referer header: privacy and security concerns
• CWE-16
• OWASP 2021-A5

Related Issues

• Content-Security-Policy Header is Missing - Vulnerability
• Strict-Transport-Security Header is Missing - Vulnerability
• X-Content-Type-Options Header is Missing - Vulnerability
• X-Frame-Options Header is Missing - Vulnerability

Tags:

HTTP Headers

Privacy

Application Misconfiguration