logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - Referrer-Policy - Java

Need

Enforcement of secure and properly configured HTTP headers

Context

  1. Usage of Java 8 for developing applications with enhanced features and performance
  2. Usage of javax.servlet-api for developing Java web applications with Servlets

Description

Insecure Code Example

import javax.servlet.http.HttpServletResponse;

public void doGet(HttpServletRequest req, HttpServletResponse resp) {
    // some code here
    resp.setContentType("text/html");
    resp.getWriter().println("<h1>Hello, world!</h1>");
}

In the above code, we have a simple HTTP GET handler that responds with a "Hello, world!" message. The vulnerability lies in the fact that the `HttpServletResponse` object, `resp`, does not set the `Referrer-Policy` HTTP header. The `Referrer-Policy` HTTP header governs which referrer information, sent in the `Referer` header, should be included with requests made from a particular request client. If the `Referrer-Policy` is not set, or is set to an insecure value, it can potentially leak sensitive information contained in the URL to third parties. In this case, because the `Referrer-Policy` is not set, the browser will use its default Referrer Policy, which could potentially be unsafe depending on the browser's settings. This can lead to potential privacy issues as the URL of the webpage that linked to the current page will be included in the `Referer` header. If this URL contains sensitive information, it could be exposed to third parties.

Steps

  1. Set the Referrer-Policy HTTP header in the response.
  2. Choose an appropriate Referrer-Policy value based on your security requirements.
  3. Ensure that the Referrer-Policy header is set for all responses, not just for HTML responses.
  4. Consider using a Content Security Policy (CSP) to further enhance the security of your application.

Secure Code Example

import javax.servlet.http.HttpServletResponse;

public void doGet(HttpServletRequest req, HttpServletResponse resp) {
    // some code here
    resp.setContentType("text/html");
    // Set the Referrer-Policy HTTP header
    resp.setHeader("Referrer-Policy", "no-referrer");
    resp.getWriter().println("<h1>Hello, world!</h1>");
}

The updated code now includes the setting of the `Referrer-Policy` HTTP header in the response. The `Referrer-Policy` header controls how much referrer information (sent via the `Referer` header) should be included with requests. In this case, we've set the `Referrer-Policy` to `no-referrer`, which means that no referrer information will be sent along with requests. This is the most secure setting, but it may not be appropriate for all applications. You should choose a `Referrer-Policy` value that best suits your security requirements. It's important to note that the `Referrer-Policy` header should be set for all responses, not just for HTML responses. This is because the referrer information can be used to track users and their activities, which can be a privacy concern. In addition to setting the `Referrer-Policy` header, you might also want to consider using a Content Security Policy (CSP) to further enhance the security of your application. A CSP can help to prevent a variety of other types of attacks, including cross-site scripting (XSS) and data injection attacks.

References

  • 071 - Insecure or unset HTTP headers - Referrer-Policy

    • Last updated

    2023/09/18