Information Disclosure - Sensitive Information in HTTP Referrer Header

Remediation

1. Remove sensitive data from URLs: Avoid including sensitive information like passwords, tokens, or personal data in URL parameters.
2. Use POST requests: For sensitive operations, use POST requests with data in the request body rather than URL parameters.
3. Configure referrer policy: Implement appropriate referrer policy headers to control what information is sent in the Referer header.
4. Review parameter naming: Use generic parameter names that don’t reveal sensitive information even if logged.

About

The HTTP Referer header is automatically sent by browsers when navigating from one page to another, potentially exposing sensitive information contained in URL parameters to third-party domains. This can violate privacy policies and compliance requirements.

Risks

High Sensitive information leakage through HTTP referrer headers can lead to privacy violations, compliance breaches (PCI DSS, HIPAA), session hijacking, and unauthorized access to sensitive data by third parties.