Insecure or unset HTTP headers - Referrer-Policy
Need
Enforcement of secure and properly configured HTTP headers - Referrer-Policy
Context
• Usage of Go 1.16 for developing high-performance and concurrent applications
• Usage of gin-gonic/gin for building web applications in Go
Description
1. Non compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
...In the above code, we are setting up a simple server using the Gin framework in Go. The server responds to GET requests at the root ("/") endpoint with "Hello, World!". However, the code is vulnerable because it does not set the `Referrer-Policy` HTTP header. This header controls how much referrer information (sent via the `Referer` header) should be included with requests. Not setting the `Referrer-Policy` or setting it to an insecure value can expose sensitive information in the URL, such as session IDs or other user-specific data, to other sites. This can lead to potential privacy leaks or other security issues. In this case, the absence of the `Referrer-Policy` means that browsers will use their default behavior, which might be to send the full URL in the `Referer` header, potentially exposing sensitive data.
2. Steps
• Add the Referrer-Policy HTTP header to the server's response.
• Set a secure value for the Referrer-Policy header, such as 'no-referrer' or 'strict-origin-when-cross-origin'.
• Configure the server to send the Referrer-Policy header for all responses, not just the root route ('/').
• Test the application to ensure that the Referrer-Policy header is being set correctly.
3. Secure code example
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
...The above code fixes the vulnerability by adding a middleware function that sets the `Referrer-Policy` HTTP header to `strict-origin-when-cross-origin` for all responses. The middleware function is added using the `Use` function of the gin router `r`. This function takes a handler function as an argument, which is called for every HTTP request. The handler function sets the `Referrer-Policy` header using the `Header` method of the gin context `c`. The `Next` method is then called to pass control to the next middleware function in the chain. The `strict-origin-when-cross-origin` value for the `Referrer-Policy` header means that the full URL will be sent as referrer to same-origin destinations, but only the origin will be sent as referrer to cross-origin destinations in a secure (HTTPS) context, and no referrer will be sent in an insecure (HTTP) context. This is a secure configuration that helps to protect sensitive information. After adding the middleware function, the server is started with the `Run` method as before. The server will now send the `Referrer-Policy` header with all responses, not just the root route ('/'). You should test the application to ensure that the `Referrer-Policy` header is being set correctly. You can do this by sending a request to the server and checking the headers in the response.