In general, the http referrer policy is about reducing the information that the referrer contains. The policy roughly translates to "you are now on this site (host) and you came from a certain site (referrer)"
Suppose you're on your user profile page on - site.com/user=id:1223122. If you navigate elsewhere (to a different url), the browser will report the url that you came from.
If no referrer policy is set, url paths can unintentionally reveal user information!
It's a good practice for information security to set a referrer policy header.
Suppose we set strict-origin-when-cross-origin policy - what does that mean?
strict-origin-when-cross-origin: send the host (the site you navigated to) the full url path when you are on the same origin
(going from site.com/user=id:123232 -> to site.com/resources) -
and ONLY send the url without the path when you go to a foreign origin
(going from site.com/user=id:123232 -> to abcd.com only send site.com)
key: 'Referrer-Policy',
value: `strict-origin-when-cross-origin
A header that stops pages from loading when cross-site-scripting attacks are detected
When modern browsers define Content-Security-Policy (CSP), and sites implement strong Content-Security-Policies (disabling the use of 'unsafe-inline'), this header is not needed. However; on older browsers that don't support CSP, this header is useful.
An attacker is capable of injecting a script into the output of the web app, and execute on the client browser. Examples of what's up-for-grabs:
- use a script to steal cookies, session tokens etc.
- phishing campaigns - steal credentials, credit card information (build a campaign ad/pages that seem associated with the site in order to lure users to provide personal info)
- use a script to run any kind of javascript in a user's browser
Search all places where input from an HTTP request could make its way into the HTML output Whitelist and deny (add, revise later)
We need javascript to only come from trusted sources. Use this header in combination with a strong CSP
Prevent browsers from incorrectly detecting non-scripts as scripts. Script files must match accepted MIME types
- "application/ecmascript"
- "application/javascript"
- "application/x-javascript"
- "text/ecmascript"
- "text/javascript"
- "text/jscript"
- "text/x-javascript"
- "text/vbs"
- "text/vbscript"
MIME Type is a standard that indicates the type and format of a file or sequence of bytes. A MIME type has two parts
type/subtype
Type represents the category of data that the file falls under. Subtype identifies the kind of data the specified type represents
X-Content-Type-Options: nosniff
HTTP header notifies user agent (browser etc.) to only connect over HTTPS. 'Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.' (revise if http, redirect to https)
Specify headers or in a meta tag a CSP. If a header specifies a rule set and a meta tag specifies another, A CSP can only get more restrictive. The goal of a CSP: only load scripts, styles, and external resources from defined sources in the CSP ehader or tag.
Easier to specify domain without protocol domain.com, instead of https://domain.com, looser without sacrificing security (granted that domain.com is trusted!) Scripts and style tags can be given a nonces - number only used once - as identification. Without a nonce or hash specified in the header or meta tag - then the style or script will not be ran
How to allow link tags rel="preconnect" or "preload"?
script-src-attr