Insecure or unset HTTP headers - Referrer-Policy
Need
Implementation of secure and properly configured HTTP headers - Referrer-Policy
Context
- Usage of C# 7.0 for modern language features and enhancements
- Usage of Microsoft.AspNetCore.Mvc for building web applications using the MVC pattern in .NET Core
- Usage of Microsoft.AspNetCore.StaticFiles for serving static files in ASP.NET Core applications
- Usage of Microsoft.AspNetCore.CookiePolicy for managing and enforcing cookie policies in ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Hosting for hosting ASP.NET Core applications
Description
Non compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
The code above is a typical configuration for an ASP.NET Core application. However, it's vulnerable to attacks because it doesn't include the Referrer-Policy HTTP header.
The Referrer-Policy header controls how much referrer information (sent via the Referer header) should be included with requests. If this header is not set, or if it's set to an insecure value, it could expose sensitive information in the URL, such as session IDs or other user-specific details.
In the code above, there's no middleware that sets the Referrer-Policy header in HTTP responses. Consequently, the application doesn't instruct the browser on how to limit the information put in the Referer header when navigating from the current site to another. This can lead to potential privacy leaks, as the URL of the HTTP request can contain sensitive information.
Steps
- Add the Referrer-Policy HTTP header to the server's response.
- Set a secure value for the Referrer-Policy header, such as 'strict-origin-when-cross-origin' or 'no-referrer-when-downgrade'.
- Configure the server to send the Referrer-Policy header for all responses.
- Ensure that the Referrer-Policy header is properly configured in both development and production environments.
Compliant code
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseCookiePolicy();
// Add middleware to set Referrer-Policy header
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");
await next();
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
The above code fixes the vulnerability by adding a middleware that sets the Referrer-Policy HTTP header to strict-origin-when-cross-origin for all responses from the server. This policy ensures that the full URL is sent as a referrer to the same origin, but only the origin (protocol, host, and port) is sent as a referrer to other origins. This helps to protect sensitive data from being exposed in the referrer when navigating to less secure or different origins.
The middleware is added in the Configure method, which is called by the runtime to configure the HTTP request pipeline. The middleware is added before the MVC middleware to ensure that the header is set for all responses, including error responses.
The Use extension method is used to add the middleware to the application's request pipeline. The middleware is a delegate that takes the HttpContext and a function that can process the next middleware in the pipeline. The middleware sets the Referrer-Policy header and then calls the next middleware.
The await next(); line is important because it allows the next middleware in the pipeline to process the request and generate the response. After the next middleware has completed, the control returns back to our middleware, allowing us to make any necessary post-processing before the response is sent to the client.
This solution ensures that the Referrer-Policy header is properly configured in both development and production environments, as it is added in the Configure method, which is called in both environments.