Have you ever clicked "Remind me the password"?

I bet you have!

Did you know there is a serious security issue hidden behind it (that most developers are unaware of)? 🤔

​

Let me explain...

Imagine you request a password reset. What usually happens next? You receive an email with a password reset link, which often looks like this:

​

https://application.com/reset?code=123456

​

where code=123456 is unique to your password reset request. If the page contains some third-party code fetched from an external domain, this code... MAY LEAK!

Actually... any data from the URL may leak.

​

I can hear you screaming: - "Bartosz! How come!? 😮"

​

Look... if you load the page, then all the embedded parts load accordingly - sending proper HTTP requests. If you have some widget on the page that loads from, let's say, some-widget.com, the request loading that widget may contain the HTTP Header Referer.

So what?

That's the issue. The referer could be... https://application.com/reset?code=123456

​

So the secret token leaks! 😑 If you don't believe me, open your developer tools and look for XHR requests on any website. You will find the Referer header with the original website address.

​

To prevent this URL data leakage, we need Referrer-Policy!

This is one of the HTTP security headers that every developer should know. You can read the whole docs about it, but here is a quick win. While serving your application, add an HTTP header 👉 Referrer-Policy: origin-when-cross-origin.

This will instruct the browser to send the origin, path, and query string (for example, https://application.com/reset?code=123456) ONLY if the request points to the same origin (your internal link). If the request is cross-origin (for example, pointing outside of your domain like some-widget.com), only the sole origin is sent (https://application.com without a path and query string).

​

Rate this email:

​GREAT 😃 | OKEY 😐 | BAD 😟

​

That's it for today. I hope it's useful 😻

​

See you next week!
Bartosz
​