What is a referrer header?

The referrer request header identifies the address of the web page that links to the resource being requested, allowing servers to identify where the request to the current page originated from. This has many important uses including, but not limited to, analytics, logging and cache optimization. 

Referrer Header Risks

There are multiple risks associated with using the referrer header:

  • Referrer information can violate user privacy. Third-party links on a website can unintentionally expose user information to these third parties. A prominent example of this was the 2010 Facebook privacy breach, in which user IDs were leaked to third-party ad networks through Facebook referrer URLs.
  • Referrer information can inadvertently leak location information from non-public websites. 
  • Referrer spam is still an issue - an attacker can target a website using a specific referrer header, which is reported by analytics tools to the website owner. The website owner could investigate the header information and follow the link back to a malicious web page.
  • A very specific example of how the referrer header can leak sensitive information is the leakage of password reset links.

How Referrer Policy Works

To plug gaps completely it is helpful to configure a referrer policy.

Detailed specifications and explanation on how to use referrer-policy can be found here but a brief summary is provided below: 

 

Tala Referrer Policy graphic (1)

 

 

empty

Browser will fallback to a referrer policy defined elsewhere

no-referrer

Do not send the referrer header

no-referrer-when-downgrade

Do not send the referrer header when navigating from HTTPS->HTTP

same-origin

Only send referrer information if destination is of the same origin as the source

origin

Only send the ‘origin’ as the referrer information with no path information

strict-origin

Similar to above + no referrer header when navigating from HTTPS->HTTP

origin-when-cross-origin

Send the full URL to requests to the same origin but only send the origin when requests are cross-origin

strict-origin-when -cross-origin

Similar to above + no referrer header when navigating from HTTPS->HTTP

unsafe-url

Full URL is sent in the referrer information for any origin 


It is generally not advisable to use ‘unsafe-url’.

What does Chrome’s new referrer policy default do?

Google Chrome has adopted strict-origin-when-cross-origin as the default policy, instead of no-referrer-when-downgrade.

Chrome’s new strict-origin-when-cross-origin referrer header will preserve privacy and prevent access to sensitive data from parts of the full URL such as the path and query string. With the new policy, website owners can obtain only the top level domain information of their referral sources. It might be difficult to pinpoint the exact page the traffic might be coming from. However, individual sites can still pick a referrer policy of their choice.

Example:

  • With the old no-referrer-when-downgrade the referrer URL obtained is:

    https://mywebsite.com/contact-us/
  • With the new strict-origin-when-cross-origin default, the referrer URL obtained is:

    https://mywebsite.com/
content-security-policy-csp-tala

How can I set the referrer policy for my own website?

The referrer policy can be set via the Referrer-Policy HTTP header:

"Referrer-Policy:" <Directive>

Directive could be any of the following: "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url"

Referrer policies can also be set inside HTML with a <meta> element with a name of referrer:

<meta name="referrer" content="origin">

Or for individual requests with the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements:

<a href="https://mywebsite.com" referrerpolicy="origin">

Automating Referrer Policy via Tala

Control Risk. Manage Trust.

Identifying the optimal referrer policy definition requires insights into third-party content loading, page-wide policy settings, and can require extensive server configurations. Tala’s WARP customizes policies based on security requirements. Referrer policy may be defined per URL or set of URLs and can be enforced within minutes. Learn more about how Tala protects websites with WARP

protect against magecart

Is your website safe from Magecart attacks?

Request a free website analysis to find out.