New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default referrer-policy for secure-headers middleware #2540
Labels
enhancement
New feature or request.
Comments
Hi @Jxck I appreciate your suggestion. It makes sense to me. I also the @watany-dev What do you think about this? |
3 tasks
@Jxck @yusukebe Based on this, I believe the discussion points are as follows:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the feature you are proposing?
Default Referrer-Policy for secure-headers middleware
Currently the default referrer-policy is
no-referrer
.https://github.com/honojs/hono/blob/main/src/middleware/secure-headers/index.ts#L73
When referrer-policy sets no-referrer, it also hides not only
referer
header but alsoorigin
header.https://fetch.spec.whatwg.org/#origin-header
Origin
header is very important for mitigating CSRF attacks.So making it
null
can make the application less secure, since the application server can't make sure it really comes from the same origin.What makes it secure is not hiding every referrer, but avoiding leaking much information for cross origin servers. There's no reason to avoid sending the referrer value to the same origin server.
What should be the default
There are many choices on Referrer-Policy but I prefer using
strict-origin-when-cross-origin
.https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#strict-origin-when-cross-origin_2
It minimizes information leaks and keeps sending origin for keep
origin
header based csrf guards works.same-origin
seems an alternative for securerer headers, but it hides sending origin to cross origin. In this case, it can cause some problems if your application interacts with cross origin services.That's the reason why
strict-orign-when-cross-orign
is the default policy for modern browsers now.but it's one of the practices to explicitly set
strcit-origin-when-cross-orign
from middleware to make sure it is enabled.The text was updated successfully, but these errors were encountered: