071 – Insecure or unset HTTP headers - Referrer-Policy

Description

The server is missing the Referrer-Policy HTTP header. Alternatively, the headers configuration is unsafe.

Impact

Leak website domain and path to external services.

Recommendation

Set the Referrer-Policy header to no-referrer, same-origin, strict-origin, or strict-origin-when-cross-origin in the server responses.

Threat

Unauthorized attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: H
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 062 - Define standard configurations
• 349 - Include HTTP security headers

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/09