New security header referrer policy wording

Talk about internet security, computer security, personal security, your social security number...
Post Reply
morganism
Senior Member
Posts: 116
Joined: Tue Nov 26, 2013 9:44 pm

New security header referrer policy wording

Post by morganism » Mon Feb 20, 2017 10:38 pm

a new security header for browser referer, and some explanations behind choices.

https://scotthelme.co.uk/a-new-security ... er-policy/

Recommendations

"Which header you will want or need to use will depend on your requirements but there are some that you should probably stay away from. The unsafe-url value kind of gives you a hint in the name and I wouldn't really advise anyone use it. Likewise if you're thinking of using origin or origin-when-cross-origin then I'd recommend looking at strict-origin and strict-origin-when-cross-origin instead. This will at least plug the little hole of leaking referrer data over an insecure connection. I don't have anything sensitive in the URL for my site so I will probably look at a value like no-referrer-when-downgrade just to keep referrer data off HTTP connections."
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0

barbaz
Senior Member
Posts: 9148
Joined: Sat Aug 03, 2013 5:45 pm

Re: New security header referrer policy wording

Post by barbaz » Tue Feb 21, 2017 12:08 am

And the list of supporting browsers - https://developer.mozilla.org/docs/Web/ ... patibility
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply