Insecure or unset HTTP headers - Referrer-Policy - Dart
Need
Implementation of secure and properly configured HTTP headers
Context
- Usage of Dart 2.0 for building scalable and efficient web and mobile applications
- Usage of Shelf for managing and organizing data in Node.js applications
Description
Insecure Code Example
import 'package:shelf/shelf.dart' as shelf;
void main() {
var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests()).addHandler(_echoRequest);
shelf.serve(handler, 'localhost', 8080).then((server) {
print('Serving at http://${server.address.host}:${server.port}');
});
}
shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');
}In the above Dart code, we are using the `shelf` package to create a simple server. The server listens on localhost at port 8080 and responds to any request with a simple message. However, this code is vulnerable because it does not set the `Referrer-Policy` HTTP header. The `Referrer-Policy` header controls how much referrer information (sent via the `Referer` header) should be included with requests. Without this header, or with an insecure configuration, it could potentially leak sensitive data from the URL to other sites through the `Referer` header. This can happen when your site links to an external site or loads resources from it. To mitigate this vulnerability, it is recommended to always set the `Referrer-Policy` header to a secure value like 'no-referrer', 'same-origin', or 'strict-origin-when-cross-origin'.
Steps
- Import the 'shelf' package in your Dart file.
- Create a middleware function that adds the 'Referrer-Policy' HTTP header to every response.
- The value of the 'Referrer-Policy' should be set to a secure option like 'no-referrer', 'same-origin', or 'strict-origin-when-cross-origin'.
- Add this middleware to your server pipeline using the 'addMiddleware' function.
Secure Code Example
import 'package:shelf/shelf.dart' as shelf;
void main() {
var handler = const shelf.Pipeline()
.addMiddleware(shelf.logRequests())
.addMiddleware(_addReferrerPolicyHeader)
.addHandler(_echoRequest);
shelf.serve(handler, 'localhost', 8080).then((server) {
print('Serving at http://${server.address.host}:${server.port}');
});
}
shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');
}
shelf.Middleware _addReferrerPolicyHeader() {
return (shelf.Handler innerHandler) {
return (shelf.Request request) async {
final response = await innerHandler(request);
return response.change(headers: {'Referrer-Policy': 'strict-origin-when-cross-origin'});
};
};
}The above code fixes the vulnerability by adding a middleware function `_addReferrerPolicyHeader` to the server pipeline. This function adds the 'Referrer-Policy' HTTP header to every response. The value of the 'Referrer-Policy' is set to 'strict-origin-when-cross-origin', which is a secure option. The 'Referrer-Policy' HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. The 'strict-origin-when-cross-origin' option sends a full URL when performing a same-origin request, only sends the origin of the document for cross-origin requests, and sends no header to a less secure destination (from HTTPS to HTTP). This middleware is added to the server pipeline using the `addMiddleware` function, ensuring that every response includes this header. This helps to prevent potential security vulnerabilities related to the referrer policy.
References
Last updated
2023/09/18