Insecure or unset HTTP headers - Referrer-Policy
Need
Implementation of secure and properly configured HTTP headers
Context
- Usage of Dart 2.0 for building scalable and efficient web and mobile applications
- Usage of Shelf for managing and organizing data in Node.js applications
Description
Non compliant code
import 'package:shelf/shelf.dart' as shelf;
void main() {
var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests()).addHandler(_echoRequest);
shelf.serve(handler, 'localhost', 8080).then((server) {
print('Serving at http://${server.address.host}:${server.port}');
});
}
shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');
}
In the above Dart code, we are using the shelf package to create a simple server. The server listens on localhost at port 8080 and responds to any request with a simple message.
However, this code is vulnerable because it does not set the Referrer-Policy HTTP header. The Referrer-Policy header controls how much referrer information (sent via the Referer header) should be included with requests.
Without this header, or with an insecure configuration, it could potentially leak sensitive data from the URL to other sites through the Referer header. This can happen when your site links to an external site or loads resources from it.
To mitigate this vulnerability, it is recommended to always set the Referrer-Policy header to a secure value like 'no-referrer', 'same-origin', or 'strict-origin-when-cross-origin'.
Steps
- Import the 'shelf' package in your Dart file.
- Create a middleware function that adds the 'Referrer-Policy' HTTP header to every response.
- The value of the 'Referrer-Policy' should be set to a secure option like 'no-referrer', 'same-origin', or 'strict-origin-when-cross-origin'.
- Add this middleware to your server pipeline using the 'addMiddleware' function.
Compliant code
import 'package:shelf/shelf.dart' as shelf;
void main() {
var handler = const shelf.Pipeline()
.addMiddleware(shelf.logRequests())
.addMiddleware(_addReferrerPolicyHeader)
.addHandler(_echoRequest);
shelf.serve(handler, 'localhost', 8080).then((server) {
print('Serving at http://${server.address.host}:${server.port}');
});
}
shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');
}
shelf.Middleware _addReferrerPolicyHeader() {
return (shelf.Handler innerHandler) {
return (shelf.Request request) async {
final response = await innerHandler(request);
return response.change(headers: {'Referrer-Policy': 'strict-origin-when-cross-origin'});
};
};
}
The above code fixes the vulnerability by adding a middleware function _addReferrerPolicyHeader to the server pipeline. This function adds the 'Referrer-Policy' HTTP header to every response. The value of the 'Referrer-Policy' is set to 'strict-origin-when-cross-origin', which is a secure option.
The 'Referrer-Policy' HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. The 'strict-origin-when-cross-origin' option sends a full URL when performing a same-origin request, only sends the origin of the document for cross-origin requests, and sends no header to a less secure destination (from HTTPS to HTTP).
This middleware is added to the server pipeline using the addMiddleware function, ensuring that every response includes this header. This helps to prevent potential security vulnerabilities related to the referrer policy.