When a user is leaving your site from a link on your site. There is a great risk that you’r leaking information to the target. This can both be a privacy issue as well as security, dependent of what the URL contains on your site before leaving.

The current URL value will be added to the referrer header in the http request for the next navigation. And if that site isn’t yours, you are leaking information unless you have specified the Referrer-Policy header. The URL can contains information that is private to the user or internal information about your system. You can even hand out URLs that shouldn’t be used for other users like password reset pages.

This header replaces the referrer directive in the Content-Security-Policy that is now obsolete. You can limit or block the refer URL by using one of the following values:

  • unsafe-url - full URL to everyone.
  • same-origin - full URL only to yourself* but not when changing from https to http.
  • no-referrer - no URL is sent.
  • no-referrer-when-downgrade - full URL but nothing when moving from https to http.
  • origin - base URL* and only to yourself*.
  • strict-origin - base URL, only to yourself* but nothing when moving from https to http.
  • origin-when-cross-origin - full URL to yourself* and only base URL* to others.
  • strict-origin-when-cross-origin - full URL to yourself* and only base URL* to others but nothing when moving from https to http

*yourself = same domain. For https://google.com/search?… it’s every page at google.com.

*base URL is https://www.google.com for the full URL https://google.com/search?source=hp&ei=ds7hXJ6LNPyKk7

Your first instinct may be to use no-referrer to be safe. But things to consider is that your site maybe need to know your own navigation-source URL to work properly, then use same-origin instead. If you don’t let any information about your site go to the navigated site you completely destroys statistics for that site, so at least you could send the base URL right? So I would say that strict-origin-when-cross-origin is a better option. If you don’t have any sensitive information what so ever in your URL you can use no-referrer-when-downgrade.

Adding it can look like this:

<add name="Referrer-Policy" value="strict-origin-when-cross-origin"/>

Read more about: How to add headers to your .net site

Previously in the Security Headers series: X-Frame-Options

Next up in the Security Headers series: Content-Security-Policy