Insecure or unset HTTP headers

Insecure or unset HTTP headers - Referrer-Policy

Need

Prevent website domain and path from being leaked to external services.

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug and Cowboy for HTTP request and response handling

• Improperly set Referrer-Policy HTTP header in the server

Description

1. Non compliant code

defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    |> put_resp_content_type("text/plain")...

This code sets up a simple Plug router to handle HTTP requests, but it does not set the Referrer-Policy header, potentially allowing the website's domain and path to be leaked.

2. Steps

• Add the 'plug Plug.ReferrerPolicy, policy: :strict_origin' line to your router to set the Referrer-Policy header

• The :strict_origin policy option will only send the referrer to same-protocol security destinations.

3. Secure code example

defmodule SecureApp do
  use Plug.Router

  plug Plug.ReferrerPolicy, policy: :strict_origin

  plug :match
  plug :dispatch
  get "/" do...

This code correctly sets the Referrer-Policy HTTP header to 'strict-origin', which ensures that the referrer will only be sent to same-protocol security destinations, thus preventing the website's domain and path from being leaked.

References

• 071. Insecure or unset HTTP headers - Referrer-Policy

On this page