Insecure or unset HTTP headers - Referrer-Policy - Ruby

Insecure or unset HTTP headers - Referrer-Policy - Ruby

Need

Implementation of secure and properly configured HTTP headers - Referrer-Policy

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of Rails framework for building web applications

Description

Non compliant code

        # config/application.rb

module YourApp
  class Application < Rails::Application
    # Other configurations...

    # Missing Referrer-Policy HTTP header
    config.action_dispatch.default_headers = {
      'X-Frame-Options' => 'SAMEORIGIN',
      'X-XSS-Protection' => '1; mode=block',
      'X-Content-Type-Options' => 'nosniff'
    }
  end
end
        
        

In the above code snippet, the application is configured with certain HTTP headers such as 'X-Frame-Options', 'X-XSS-Protection', and 'X-Content-Type-Options' in the config.action_dispatch.default_headers hash. However, the 'Referrer-Policy' HTTP header is missing.

The 'Referrer-Policy' HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. If this header is not set, or configured in an insecure way, it could potentially leak sensitive information. For example, if a user clicks a link on your site that leads to another page or website, the URL of your site (which might contain sensitive information in the URL parameters) could be sent to that page or website.

In the context of a Ruby on Rails application, this could lead to potential information disclosure vulnerabilities. Therefore, it is recommended to always set the 'Referrer-Policy' HTTP header in a secure way to prevent such issues.

Steps

  • Add the 'Referrer-Policy' HTTP header to the list of default headers in the application configuration.
  • Set a secure value for the 'Referrer-Policy' header, such as 'strict-origin-when-cross-origin' or 'no-referrer'.
  • Ensure that the application is using the latest version of Ruby on Rails framework to have access to the latest security features and fixes.

Compliant code

        # config/application.rb

module YourApp
  class Application < Rails::Application
    # Other configurations...

    # Set Referrer-Policy HTTP header
    config.action_dispatch.default_headers = {
      'X-Frame-Options' => 'SAMEORIGIN',
      'X-XSS-Protection' => '1; mode=block',
      'X-Content-Type-Options' => 'nosniff',
      'Referrer-Policy' => 'strict-origin-when-cross-origin'
    }
  end
end
        
        

The above code fixes the vulnerability by adding the 'Referrer-Policy' HTTP header to the list of default headers in the application configuration. The 'Referrer-Policy' header is set to 'strict-origin-when-cross-origin', which is a secure value. This value ensures that a referrer will be sent for same-origin requests, and requests to a more secure destination (from HTTP to HTTPS), but only the origin is sent (not the full URL) for cross-origin requests.

This change will help to protect the application from potential information leakage via the referrer header. It is also recommended to ensure that the application is using the latest version of Ruby on Rails framework to have access to the latest security features and fixes.

References