Insecure or unset HTTP headers - Referrer-Policy
Need
Enforcement of secure and properly configured HTTP headers
Context
- Usage of Java 8 for developing applications with enhanced features and performance
- Usage of javax.servlet-api for developing Java web applications with Servlets
Description
Non compliant code
import javax.servlet.http.HttpServletResponse;
public void doGet(HttpServletRequest req, HttpServletResponse resp) {
// some code here
resp.setContentType("text/html");
resp.getWriter().println("<h1>Hello, world!</h1>");
}
In the above code, we have a simple HTTP GET handler that responds with a "Hello, world!" message. The vulnerability lies in the fact that the HttpServletResponse object, resp, does not set the Referrer-Policy HTTP header.
The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made from a particular request client. If the Referrer-Policy is not set, or is set to an insecure value, it can potentially leak sensitive information contained in the URL to third parties.
In this case, because the Referrer-Policy is not set, the browser will use its default Referrer Policy, which could potentially be unsafe depending on the browser's settings. This can lead to potential privacy issues as the URL of the webpage that linked to the current page will be included in the Referer header. If this URL contains sensitive information, it could be exposed to third parties.
Steps
- Set the Referrer-Policy HTTP header in the response.
- Choose an appropriate Referrer-Policy value based on your security requirements.
- Ensure that the Referrer-Policy header is set for all responses, not just for HTML responses.
- Consider using a Content Security Policy (CSP) to further enhance the security of your application.
Compliant code
import javax.servlet.http.HttpServletResponse;
public void doGet(HttpServletRequest req, HttpServletResponse resp) {
// some code here
resp.setContentType("text/html");
// Set the Referrer-Policy HTTP header
resp.setHeader("Referrer-Policy", "no-referrer");
resp.getWriter().println("<h1>Hello, world!</h1>");
}
The updated code now includes the setting of the Referrer-Policy HTTP header in the response. The Referrer-Policy header controls how much referrer information (sent via the Referer header) should be included with requests.
In this case, we've set the Referrer-Policy to no-referrer, which means that no referrer information will be sent along with requests. This is the most secure setting, but it may not be appropriate for all applications. You should choose a Referrer-Policy value that best suits your security requirements.
It's important to note that the Referrer-Policy header should be set for all responses, not just for HTML responses. This is because the referrer information can be used to track users and their activities, which can be a privacy concern.
In addition to setting the Referrer-Policy header, you might also want to consider using a Content Security Policy (CSP) to further enhance the security of your application. A CSP can help to prevent a variety of other types of attacks, including cross-site scripting (XSS) and data injection attacks.