Skip to main content

Insecure or unset HTTP headers - Referrer-Policy

Description

The server is missing the Referrer-Policy HTTP header. Alternatively, the headers configuration is unsafe.

Impact

Leak website domain and path to external services.

Recommendation

Set the Referrer-Policy header to no-referrer, same-origin, strict-origin, or strict-origin-when-cross-origin in the server responses.

Threat

Unauthorized attacker from the Internet.

Expected Remediation Time

โŒš 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: H
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 2.0
    • Temporal: 1.8
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The referrer policy are set to a secure value

GET http://localhost/
Referrer-Policy: strict-origin-when-cross-origin

Non compliant code

The referrer policy of the http headers are insecurely configured

GET http://localhost/
Referrer-Policy: none

Requirements