Insecure HTTP Header Setting: Insecure Referrer Policy

Insecure HTTP Header Setting: Insecure Referrer Policy

Risk: hardening

Description

Referrer Policy controls the behavior of the Referer header, which indicates the origin or web page URL the request was made from. The web application uses an insecure Referrer Policy configuration that may leak user information to third-party sites.

Recommendation

Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value.

Links

• Referrer-Policy

Standards

• OWASP_ASVS_L1:
  • V14_4_6
• OWASP_ASVS_L2:
  • V14_4_6
• WASP_ASVS_L3:
  • V14_4_6
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_6_4
  • REQ_11_3