The referrer request header identifies the address of the web page that links to the resource being requested, allowing servers to identify where the request to the current page originated from. This has many important uses including, but not limited to, analytics, logging and cache optimization.
There are multiple risks associated with using the referrer header:
To plug gaps completely it is helpful to configure a referrer policy.
Detailed specifications and explanation on how to use referrer-policy can be found here but a brief summary is provided below:
empty |
Browser will fallback to a referrer policy defined elsewhere |
no-referrer |
Do not send the referrer header |
no-referrer-when-downgrade |
Do not send the referrer header when navigating from HTTPS->HTTP |
same-origin |
Only send referrer information if destination is of the same origin as the source |
origin |
Only send the ‘origin’ as the referrer information with no path information |
strict-origin |
Similar to above + no referrer header when navigating from HTTPS->HTTP |
origin-when-cross-origin |
Send the full URL to requests to the same origin but only send the origin when requests are cross-origin |
strict-origin-when -cross-origin |
Similar to above + no referrer header when navigating from HTTPS->HTTP |
unsafe-url |
Full URL is sent in the referrer information for any origin |
Google Chrome has adopted strict-origin-when-cross-origin as the default policy, instead of no-referrer-when-downgrade.
Chrome’s new strict-origin-when-cross-origin referrer header will preserve privacy and prevent access to sensitive data from parts of the full URL such as the path and query string. With the new policy, website owners can obtain only the top level domain information of their referral sources. It might be difficult to pinpoint the exact page the traffic might be coming from. However, individual sites can still pick a referrer policy of their choice.
Example:
The referrer policy can be set via the Referrer-Policy HTTP header:
"Referrer-Policy:" <Directive>
Directive could be any of the following: "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url"
Referrer policies can also be set inside HTML with a <meta> element with a name of referrer:
<meta name="referrer" content="origin">
Or for individual requests with the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements:
<a href="https://mywebsite.com" referrerpolicy="origin">
Control Risk. Manage Trust.
Identifying the optimal referrer policy definition requires insights into third-party content loading, page-wide policy settings, and can require extensive server configurations. Tala’s WARP customizes policies based on security requirements. Referrer policy may be defined per URL or set of URLs and can be enforced within minutes. Learn more about how Tala protects websites with WARP.
Request a free website analysis to find out.
COPYRIGHT ©2022 TALA SECURITY, INC. ALL RIGHTS RESERVED | Privacy Policy