Details
When an origin site directs a user to another site, a referrer is sent that identifies the URL the user came from. Depending on your site’s specific use, this may present a privacy concern to your users. The Referrer Policy enables organizations to define what sites should see that a referral came from your site, which helps protect user privacy.
Rationale:
A Referrer header may expose sensitive data in another web server’s log if you use sensitive data in your URL parameters, such as personal information, username, and password or persistent sessions. Ultimately, depending on your application design, not using a properly configured Referrer Policy may allow session hijacking, credential gathering, or sensitive data exposure in a third party’s logs.
Solution
Add the below line to the server blocks within your nginx configuration. The policy should be customized for your specific organization’s needs. The below policy will ensure your website is never allowed in a referrer.
add_header Referrer-Policy ‘no-referrer’;
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.