Insecure or unset HTTP headers - Referrer-Policy
Need
Prevent website domain and path from being leaked to external services.
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug and Cowboy for HTTP request and response handling
- Improperly set Referrer-Policy HTTP header in the server
Description
Non compliant code
defmodule VulnerableApp do
use Plug.Router
plug :match
plug :dispatch
get "/" do
conn
|> put_resp_content_type("text/plain")
|> send_resp(200, "Hello world!")
end
end
This code sets up a simple Plug router to handle HTTP requests, but it does not set the Referrer-Policy header, potentially allowing the website's domain and path to be leaked.
Steps
- Add the 'plug Plug.ReferrerPolicy, policy: :strict_origin' line to your router to set the Referrer-Policy header
- The :strict_origin policy option will only send the referrer to same-protocol security destinations.
Compliant code
defmodule SecureApp do
use Plug.Router
plug Plug.ReferrerPolicy, policy: :strict_origin
plug :match
plug :dispatch
get "/" do
conn
|> put_resp_content_type("text/plain")
|> send_resp(200, "Hello world!")
end
end
This code correctly sets the Referrer-Policy HTTP header to 'strict-origin', which ensures that the referrer will only be sent to same-protocol security destinations, thus preventing the website's domain and path from being leaked.