Implementation of secure and properly configured HTTP headers - Referrer-Policy
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
The code above is a typical configuration for an ASP.NET Core application. However, it's vulnerable to attacks because it doesn't include the
Referrer-Policy HTTP header.
The
Referrer-Policy header controls how much referrer information (sent via the
Referer header) should be included with requests. If this header is not set, or if it's set to an insecure value, it could expose sensitive information in the URL, such as session IDs or other user-specific details.
In the code above, there's no middleware that sets the
Referrer-Policy header in HTTP responses. Consequently, the application doesn't instruct the browser on how to limit the information put in the
Referer header when navigating from the current site to another. This can lead to potential privacy leaks, as the URL of the HTTP request can contain sensitive information.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseCookiePolicy();
// Add middleware to set Referrer-Policy header
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");
await next();
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
The above code fixes the vulnerability by adding a middleware that sets the
Referrer-Policy HTTP header to
strict-origin-when-cross-origin for all responses from the server. This policy ensures that the full URL is sent as a referrer to the same origin, but only the origin (protocol, host, and port) is sent as a referrer to other origins. This helps to protect sensitive data from being exposed in the referrer when navigating to less secure or different origins.
The middleware is added in the
Configure method, which is called by the runtime to configure the HTTP request pipeline. The middleware is added before the MVC middleware to ensure that the header is set for all responses, including error responses.
The
Use extension method is used to add the middleware to the application's request pipeline. The middleware is a delegate that takes the
HttpContext and a function that can process the next middleware in the pipeline. The middleware sets the
Referrer-Policy header and then calls the next middleware.
The
await next(); line is important because it allows the next middleware in the pipeline to process the request and generate the response. After the next middleware has completed, the control returns back to our middleware, allowing us to make any necessary post-processing before the response is sent to the client.
This solution ensures that the
Referrer-Policy header is properly configured in both development and production environments, as it is added in the
Configure method, which is called in both environments.