Insecure or unset HTTP headers - Referrer-Policy
Need
Implementation of secure and properly configured HTTP headers
Context
• Usage of Dart 2.0 for building scalable and efficient web and mobile applications
• Usage of Shelf for managing and organizing data in Node.js applications
Description
1. Non compliant code
import 'package:shelf/shelf.dart' as shelf;
void main() {
var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests()).addHandler(_echoRequest);
shelf.serve(handler, 'localhost', 8080).then((server) {
print('Serving at http://${server.address.host}:${server.port}');
}...In the above Dart code, we are using the `shelf` package to create a simple server. The server listens on localhost at port 8080 and responds to any request with a simple message. However, this code is vulnerable because it does not set the `Referrer-Policy` HTTP header. The `Referrer-Policy` header controls how much referrer information (sent via the `Referer` header) should be included with requests. Without this header, or with an insecure configuration, it could potentially leak sensitive data from the URL to other sites through the `Referer` header. This can happen when your site links to an external site or loads resources from it. To mitigate this vulnerability, it is recommended to always set the `Referrer-Policy` header to a secure value like 'no-referrer', 'same-origin', or 'strict-origin-when-cross-origin'.
2. Steps
• Import the 'shelf' package in your Dart file.
• Create a middleware function that adds the 'Referrer-Policy' HTTP header to every response.
• The value of the 'Referrer-Policy' should be set to a secure option like 'no-referrer', 'same-origin', or 'strict-origin-when-cross-origin'.
• Add this middleware to your server pipeline using the 'addMiddleware' function.
3. Secure code example
import 'package:shelf/shelf.dart' as shelf;
void main() {
var handler = const shelf.Pipeline()
.addMiddleware(shelf.logRequests())
.addMiddleware(_addReferrerPolicyHeader)
.addHandler(_echoRequest);
shelf.serve(handler, 'localhost', 8080).then((server) {...The above code fixes the vulnerability by adding a middleware function `_addReferrerPolicyHeader` to the server pipeline. This function adds the 'Referrer-Policy' HTTP header to every response. The value of the 'Referrer-Policy' is set to 'strict-origin-when-cross-origin', which is a secure option. The 'Referrer-Policy' HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. The 'strict-origin-when-cross-origin' option sends a full URL when performing a same-origin request, only sends the origin of the document for cross-origin requests, and sends no header to a less secure destination (from HTTPS to HTTP). This middleware is added to the server pipeline using the `addMiddleware` function, ensuring that every response includes this header. This helps to prevent potential security vulnerabilities related to the referrer policy.