Referrer-Policy Header is Missing
Description
The Referrer-Policy HTTP header controls the amount of referrer information (sent via the Referer header) included with requests. The Referer header contains the address of the previous web page from which a link to the currently requested page was followed. While it has many legitimate uses such as analytics and logging, it can also pose privacy and security risks if not handled properly.
Recommendation
Configure your server to send the Referrer-Policy header for all pages with the value set to strict-origin-when-cross-origin. This policy ensures that the full URL is included as a referrer when navigating within the same origin, while only sending the origin when navigating from one origin to another. You can explore other possible values based on your specific requirements and security considerations.
References
- CWE-16
- Mozilla: Referer header: privacy and security concerns
- Mozilla: Referrer-Policy
- OWASP 2021-A5