How To Fix a Missing Referrer-Policy on a Website

Kent Ickler //

Referrer-Policy, What-What?

Referrer-Policy is a security header that can (and should) be included on communication from your website’s server to a client. The Referrer-Policy tells the web browser how to handle referrer information that is sent to websites when a user clicks a link that leads to another page or website.

The Referrer-Policy can be configured to cause the browser to not inform the destination site any URL information, some information, or a full URL path. Having a policy set is good practice. The policy can be set a number of ways, including in website code (PHP, etc). Below we will be configuring the Referrer-Policy header in Apache configuration.

Check If Referrer-Policy Is Enabled

If you haven’t heard of these headers before, you probably don’t have them enabled. They aren’t automatic, though they may have been included in webapps you’ve installed (WordPress, Joomla, etc.). A quick way to check is to go to www.securityheaders.io and do a scan of your website. You can also check in FireFox’s Developer Console.

Identifying Your Referrer Needs

When a user leaves your website from a link that points elsewhere, it may be useful for the destination server to know where the user came from (your website). It might also be more appropriate that you don’t tell them any information about your website. The referrer header that is sent is typically a string that includes the URL of the page that the user clicked the link to the destination. There are multiple ways to configure if and what information is sent, but things to keep in mind are referrers may be necessary to properly configure web advertisements, analytics, and some authentication platforms. You can also ensure that an HTTPS URL is not leaked into HTTP headers (and consequently leaking website path information unencrypted across the internet).

In our case, we find the “no-referrer-when-downgrade” policy to meet our needs. This will ensure that if a user clicks a link to an HTTP website (not secure) the web browser will not post our HTTPS URL path (this would be a security data leak, as it discloses our URL path scheme unencrypted across the internet).

Specific policy options can be found in a link at the bottom of this post.

Create and configure the Referrer-Policy in Apache

The header we need to add will be added in the httpd.conf file (alternatively, apache.conf, etc).

In httpd.conf, find the section for your VirtualHost.

Next, find your <IfModule headers_module> section.  If it doesn’t exist, you will need to create it and add our specific headers.

<VirtualServer>

~Bits of important stuff here~

    <IfModule headers_module>

    RequestHeader set X-HTTPS 1

         Header set Referrer-Policy "no-referrer-when-downgrade"

       </IfModule>

~more bits of important stuff~

</VirtualServer>

Restart Apache

sudo service apache restart

Test the change:

Header Set Content-Security-Policy

Scott Helme has done a significant amount of research and helped pave the way for web devs to fully implement Referrer-Policy. Here is some great content that Scott has put together to assist in proper implementation.

A new security header: Referrer Policy – Link: https://scotthelme.co.uk/a-new-security-header-referrer-policy/

SecurityHeaders.io – Link: https://www.securityheaders.io

Related:

See Part 1: How to Configure Content-Security-Policy



Want to learn more mad skills from the person who wrote this blog?

Check out these classes from Kent and Jordan:

Applied Purple Teaming

Defending the Enterprise

Available live/virtual and on-demand!