Insecure or unset HTTP headers - Referrer-Policy
Need
Implementation of secure and properly configured HTTP headers, specifically the Referrer-Policy header.
Context
- Usage of TypeScript for type-checking and compiling JavaScript code
- Usage of Express for building web applications and handling HTTP requests
Description
Non compliant code
import express from 'express';
const app = express();
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is that it does not set the Referrer-Policy HTTP header in the server responses. This header is responsible for controlling how much information about the referring URL is included in the request headers when a user navigates from one page to another.
Without setting the Referrer-Policy header, the browser will default to using the no-referrer-when-downgrade policy, which means that the full URL of the referring page will be included in the request headers when navigating to a different domain. This can potentially leak sensitive information about the website's domain and path to external services.
To fix this vulnerability, the code should include the appropriate Referrer-Policy header in the server responses. This can be done by adding the following code:
app.use((req, res, next) => {
res.setHeader('Referrer-Policy', 'no-referrer');
next();
});
This code snippet adds a middleware function that sets the Referrer-Policy header to no-referrer for all server responses. This policy ensures that no referrer information is included in the request headers when navigating to a different domain.
By setting the Referrer-Policy header to an appropriate value like no-referrer, same-origin, strict-origin, or strict-origin-when-cross-origin, the vulnerability can be mitigated, and the website's domain and path will not be leaked to external services.
Steps
- Install the
helmetpackage by runningnpm install helmet. - Import the
helmetpackage in your code by addingimport helmet from 'helmet';. - Add the
helmetmiddleware to your Express app by addingapp.use(helmet());before defining your routes. - Set the
Referrer-Policyheader to one of the recommended values (no-referrer,same-origin,strict-origin, orstrict-origin-when-cross-origin) by addingapp.use(helmet.referrerPolicy({ policy: 'no-referrer' }));after adding thehelmetmiddleware. - Restart your server and verify that the
Referrer-Policyheader is now set correctly.
Compliant code
import express from 'express';
import helmet from 'helmet';
const app = express();
app.use(helmet());
app.use(helmet.referrerPolicy({ policy: 'no-referrer' }));
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code addresses the vulnerability by setting the Referrer-Policy header to 'no-referrer' using the Helmet middleware in an Express.js application.
First, the code imports the necessary modules, 'express' and 'helmet'. Express is a popular web application framework for Node.js, while Helmet is a middleware package that helps secure Express applications by setting various HTTP headers.
Next, an instance of the Express application is created using the 'express()' function and assigned to the 'app' variable.
The code then applies the Helmet middleware to the application using the 'app.use(helmet())' statement. This enables various security-related headers provided by Helmet.
To specifically address the Referrer-Policy vulnerability, the code uses the app.use(helmet.referrerPolicy({ policy: 'no-referrer' })) statement. This sets the Referrer-Policy header to 'no-referrer', which means that the browser will not send the referrer information when navigating to external websites.
After setting up the middleware, the code defines a simple route handler for the root path ('/') that sends the response 'Hello World!' when accessed.
Finally, the application listens on port 3000 using the 'app.listen(3000)' statement and logs a message to indicate that the server is running.
By setting the Referrer-Policy header to 'no-referrer' using the Helmet middleware, the fixed code ensures that the server response includes the necessary header to prevent leaking the website domain and path to external services.