How to remediate – Missing Referrer Policy

Contents

1. Introduction

The Missing Referrer Policy vulnerability means your website isn’t controlling how much information browsers send when a user clicks a link from your site to another. This can expose sensitive data in the HTTP referer header, potentially revealing internal URLs or user activity. Websites are usually affected, and this impacts confidentiality by allowing unintended data disclosure.

2. Technical Explanation

The Referrer Policy controls which referrer information is sent with requests. Without a policy set, browsers may send the full URL as the referer header. An attacker could exploit this to gather information about your website’s structure or user behaviour by analysing server logs or intercepting network traffic. This requires an attacker to control content that links to your site.

Root cause: No ‘Referrer-Policy’ HTTP header or meta tag is configured on the webserver or in HTML pages.
Exploit mechanism: An attacker hosts a malicious website and crafts links designed to extract referrer information when clicked by users visiting your site. The full URL, including potential session IDs or internal paths, is sent to the attacker’s server.
Scope: All websites that do not explicitly define a Referrer Policy are affected.

3. Detection and Assessment

You can check for a missing Referrer Policy by inspecting HTTP headers returned by your website. A thorough method involves scanning all pages of your site.

Quick checks: Use browser developer tools (Network tab) to inspect the referer header when navigating from your site to an external link.
Scanning: Security scanners like OWASP ZAP or Burp Suite can identify missing Referrer-Policy headers. Example signature ID: 93210.
Logs and evidence: Server access logs will show the full URL in the referer header if no policy is set.

curl -I https://yourwebsite.com

4. Solution / Remediation Steps

Configure a Referrer Policy on your website to restrict referrer information sent with requests. This can be done via HTTP header or meta tag.

4.1 Preparation

Ensure you understand the implications of different Referrer Policy values. A roll back plan involves removing the added header or meta tag.
Change windows may be needed depending on your deployment process and approval requirements.

4.2 Implementation

Step 1: Add the ‘Referrer-Policy’ HTTP header to your webserver configuration. A common value is ‘strict-origin-when-cross-site’.
Step 2: If you cannot modify server configuration, add a meta tag to the <head> section of each HTML page.

4.3 Config or Code Example

Before

# No Referrer-Policy header configured in Apache/Nginx config file

After

Header always set Referrer-Policy "strict-origin-when-cross-site"

4.4 Security Practices Relevant to This Vulnerability

Secure headers are a key practice for protecting your website. Least privilege can limit the impact if referrer information is exposed.

Practice 1: Implement secure HTTP headers, including Referrer-Policy, Content-Security-Policy, and X-Frame-Options to enhance security.
Practice 2: Apply least privilege principles to webserver accounts and configurations to reduce the potential impact of a successful exploit.

4.5 Automation (Optional)

If using configuration management tools, automate the addition of the ‘Referrer-Policy’ header across all servers.

# Example Ansible task:
- name: Set Referrer-Policy header in Apache virtual host
  lineinfile:
    path: /etc/apache2/sites-available/yourwebsite.conf
    regexp: '^Header always set'
    line: 'Header always set Referrer-Policy "strict-origin-when-cross-site"'

5. Verification / Validation

Post-fix check: Use `curl -I https://yourwebsite.com` and verify that the ‘Referrer-Policy’ header is present with the expected value (e.g., strict-origin-when-cross-site).
Re-test: Repeat the quick check from Section 3 to confirm the referer header now reflects the configured policy.
Smoke test: Ensure basic website functionality, such as navigating between pages and submitting forms, remains operational.
Monitoring: Check server logs for unexpected referrer patterns or errors related to the new header. Example query: search for “Referrer-Policy” in access logs.

curl -I https://yourwebsite.com

6. Preventive Measures and Monitoring

Update your security baseline to include a requirement for Referrer Policy configuration. Implement checks in CI/CD pipelines to enforce secure header settings.

Baselines: Update your website security baseline or policy to mandate the use of a defined Referrer-Policy value.
Pipelines: Add static analysis tools (SAST) to your CI pipeline to check for missing or misconfigured HTTP headers.
Asset and patch process: Review webserver configurations regularly as part of your asset management process.

7. Risks, Side Effects, and Roll Back

Incorrectly configured Referrer Policy values can break website functionality. A roll back involves removing the added header or meta tag.

Risk or side effect 1: An overly restrictive policy may prevent legitimate cross-site referrals from working correctly.
Risk or side effect 2: Incorrect syntax in the header configuration could cause server errors.
Roll back: Remove the added ‘Referrer-Policy’ HTTP header from your webserver configuration, or delete the meta tag from HTML pages. Restart the web service if necessary.

8. References and Resources

Vendor advisory or bulletin: N/A
NVD or CVE entry: N/A
Product or platform documentation relevant to the fix: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Updated on December 27, 2025

Was this article helpful?

Yes No