10 DAYS AGO • 1 MIN READ

(#2) Referrer-Policy may BETRAY you... ❌ Let's be smarter!

profile

pills.dev 💊 weekly coding tips & tricks

Join +2,660 software developers getting weekly tips covering security, quality and system design.

Have you ever clicked "Remind me the password"?

I bet you have!

Did you know there is a serious security issue hidden behind it (that most developers are unaware of)? 🤔

Let me explain...

Imagine you request a password reset. What usually happens next? You receive an email with a password reset link, which often looks like this:

https://application.com/reset?code=123456

where code=123456 is unique to your password reset request. If the page contains some third-party code fetched from an external domain, this code... MAY LEAK!

Actually... any data from the URL may leak.

I can hear you screaming: - "Bartosz! How come!? 😮"

Look... if you load the page, then all the embedded parts load accordingly - sending proper HTTP requests. If you have some widget on the page that loads from, let's say, some-widget.com, the request loading that widget may contain the HTTP Header Referer.

So what?

That's the issue. The referer could be... https://application.com/reset?code=123456

So the secret token leaks! 😑 If you don't believe me, open your developer tools and look for XHR requests on any website. You will find the Referer header with the original website address.

To prevent this URL data leakage, we need Referrer-Policy!

This is one of the HTTP security headers that every developer should know. You can read the whole docs about it, but here is a quick win. While serving your application, add an HTTP header 👉 Referrer-Policy: origin-when-cross-origin.

This will instruct the browser to send the origin, path, and query string (for example, https://application.com/reset?code=123456) ONLY if the request points to the same origin (your internal link). If the request is cross-origin (for example, pointing outside of your domain like some-widget.com), only the sole origin is sent (https://application.com without a path and query string).

Rate this email:

GREAT 😃 | OKEY 😐 | BAD 😟

That's it for today. I hope it's useful 😻

See you next week!
Bartosz

Web Security Starter Kit 🚀

pills.dev 💊 weekly coding tips & tricks

Join +2,660 software developers getting weekly tips covering security, quality and system design.