Tackle WordPress weaknesses and fortify your website.

The Referrer-Policy header was created to control information sent by browsers to destination servers when clicking on hyperlinks. The http standard includes a http request header called “referrer” that is used by your browser to send information to a site you are visiting after clicking a hyperlink to that site. This referrer can contain the complete url of the page that the link was on. Example: You are now on the page “https://really-simple-ssl.com/definition/what-is-referrer-policy/”. If you click on a link like https://complianz.io your browser could send the following information “referrer: https://really-simple-ssl.com/definition/what-is-referrer-policy/” to the complainz.io server. This way Complianz knows what server and page you were on when you clicked the hyperlink to Complianz. This can be useful for analytics, affiliate fees and marketing purposes.

Issues
Although sending referrer information has legitimate purposes there are serious security and privacy issues with this approach. From a privacy point of view, in most cases there is no real need for the site you are visiting to know what page you were on when you clicked the hyperlink. Depending on settings your browser might even send the query string in your browser to the destination server. This query string could include sensitive details. For example: If you are visiting a page on a site with medical information such as “https://medicalinfo4you.org/stage1-dementia” and click on a hyperlink to a medical insurance site, the insurance company now knows you were visiting a page about dementia and could refuse service to you.

Although this is bad security practice there are numerous websites that include authentication tokens in the url query string. When clicking a link on such a site, the target website could receive the authentication token and execute actions on the the source site using the token of the visiting user.

Up to November 2020 the default setting for browsers (no-referrer-when-downgrade) was to send the complete url, meaning the full domain name + query string unless the connection was downgraded from https to http. Because of the privacy and security issues mentioned above the browsers changed the default settings to strict-origin-when-cross-origin, only sending the domain name and only to the same website (origin). By default no referrer information is currently sent to other websites at all.

Options
The Referrer-Policy header has the following options:

  • no-referrer -> send no referrer information under any circumstance
  • no-referrer-when-downgrade (old default browser setting) -> send complete referrer information unless the connection is downgraded from https to http
  • origin -> always send the domain name as referrer
  • origin-when-cross-origin -> send complete referrer information within the same website but only the domain name to other websites or when the connection is downgraded from https to http
  • same-origin -> send complete referrer information within the same website but no referrer at all to other websites
  • strict-origin -> always send the domain name, except when the connection is downgraded from https to http
  • strict-origin-when-cross-origin (current default browser setting) -> send complete referrer information to the same website and only the domain name to other websites but no referrer at all when the connection is downgraded from https to http
  • unsafe-url -> always send complete referrer information regardless of destination and security

 

References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://web.dev/referrer-best-practices
https://scotthelme.co.uk/a-new-security-header-referrer-policy

NOTE: When enabled Really Simple SSL Pro will set this header to the current default browser setting of strict-origin-when-cross-origin

Table of Contents

Peter Tak

Peter Tak

Lorem ipsum dolor sit amet consectetur adipiscing elit dolor

Read More

Advanced Security

With the mixed content fixer and scan in Really Simple SSL pro we’ll get you the secure lock!

Definitions

Extensive scan which enables you to detect the source of mixed content that couldn’t be fixed automatically, with fix button.

HttpOnly and Secure flags to make cookies secure and encrypted.

Related articles

Cross Origin Security Headers

Cross-Origin Isolation In 2018, a new vulnerability was discovered in processors. It allowed a “side channel attack”. These types of attacks try to gather information

Read More