Referrer Policy Header Security

Referrer-Policy header security is a request header that indicates the site which the traffic originated from. If there is no adequate prevention in place, the URL itself, and even sensitive information contained in the URL will be leaked to the cross-site.

The Referrer-Policy header is a fairly new header that has been a W3C Candidate Recommendation since January 26, 2017. It makes it possible to control which referrer information is included in requests. When viewing a page, the referrer information indicates the origin of the request. Because this can lead to privacy and security issues when passing on the URL, the Referrer-Policy header was created to control how this information is sent from a referring page to the target page in the course of browsing.

Referrer-Policy is important because it addresses the following issues:

• Unexpected cross-origin information leakage hinders web users’ privacy. A protective referrer policy can help.

• Consider setting a referrer policy of strict-origin-when-cross-origin. It retains much of the referrer’s usefulness, while mitigating the risk of leaking data cross-origins.

• Don’t use referrers for Cross-Site Request Forgery (CSRF) protection. Use CSRF tokens instead, and other headers as an extra layer of security

Referrer-Policy Header Security Working Model

All Referrer policies that take the scheme (HTTPS vs. HTTP) as (strict-origin, no-referrer when-downgrade and strict-origin-when-cross-origin) treat requests from an HTTP origin to another HTTP origin 

The same way as requests from an HTTPS origin to another HTTPS origin—even if HTTP is less secure. 

That's because for these policies, what matters is whether a security downgrade takes place, as if the request can expose data from an encrypted origin to an unencrypted one. 

An HTTP → HTTP request is unencrypted all 
along, so there is no downgrade. HTTPS → HTTP requests, on the contrary, present a downgrade.

If a request is same-origin, this means that the scheme (HTTPS or HTTP) is the same; hence there is no security downgrade

How to integrate Referrer-Policy Header Security

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header should be included with requests made.
How to integrate Referrer-Policy Header Security give as below

Syntax:

• Referrer-Policy: no-referrer
• Referrer-Policy: no-referrer-when-downgrade
• Referrer-Policy: origin
• Referrer-Policy: strict-origin
• Referrer-Policy: origin-when-cross-origin
• Referrer-Policy: strict-origin-when-cross-origin
• Referrer-Policy: same-origin
• Referrer-Policy: unsafe-url

[1] How to add in Nginx configuration file

There are following code need to add in Nginx configuration file

add_header Referrer-Policy "strict-origin-when-cross-origin";


[2] How to add in Apache configuration file

There are following code need to add in Apache configuration file

header Referrer-Policy "strict-origin-when-cross-origin"


[3] How to add in .htaccess file

There are following code need to add in .htaccess configuration file

<IfModule mod_headers.c>
Header  set Referrer-Policy "strict-origin-when-cross-origin" 
<IfModule mod_headers.c>

There are following steps, where each Referrer-Policy has been described detailed view

• no-referrer: This sends no referrer information along with the request made.

• no-referrer-when-downgrade: This sends complete URL information to a potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin . Information is sent for HTTPS -> HTTPS and HTTP -> HTTPS transition . This is the default 
Referrer-Policy.

• origin: It only sends the origin value of the request client when making either same origin (same website) or cross-origin (different website) requests.

• strict origin: This only sends origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin.

• origin-when-cross-origin: It sends complete URL information when making requests on same origin but only origin information when making cross-origin requests.

• strict-origin-when-cross-origin: It sends complete URL information when working on request from same origin. It sends only origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin. No referrer 
information is sent to a potentially non-trustworthy URL.

• same-origin: It sends referrer information when origin is on same website but no information is sent for cross origin.

• unsafe-url: It sends complete URL information irrespective of any criteria.

There are following list of Referrer-Policy’s Browser compatibility, that is why Referrer-Policy must be integrate

There are following below advantages after integrating Referrer-Policy Header Security

HTTPS sites will never transmit referrer information to non-HTTPS sites.
Referrer Policy is used to determine what information is sent along with the requests.
The Referrer-Policy header on your server to control what information is sent through the Referrer header security. For example, a directive of no-referrer would omit the Referrer header security entirely.
The Referrer HTTP request header contains an absolute or partial address of the page making the request.
The Referrer Policy HTTP header sets the parameter for amount of information sent along with Referer Header while making a request.
Referrer policy is used to maintain the security and privacy of source account while fetching resources or performing navigation
This could also be a way to increase the integrity for the users of the website. For example, if a user reads a news article about cats and the article has a link to a cat shelter website.

HTTP Security Headers Checker Tool

https://www.site2info.com/sitesecurity.php