This is worth seeing how your design measures up with GDPR looming on Friday
6 Likes
One of the interesting things is that it suggests adding:
<meta name="referrer" content="no-referrer">
to the head of your pages
To quote the site:
Referrers leaked
When you click a link, your browser will typically send the HTTP referer [sic] header to the webserver where the destination webpage is at. The header contains the full URL of the page you came from. This lets sites see where traffic comes from. The header is also sent when external resources (such as images, fonts, JS and CSS) are loaded.
The referrer header is privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.
Let’s say you’re logged in on Facebook. You visit a page with the URL http://www.some-hospital.com/some-medical-condition. On that page, you click a link to their Facebook page. Your browser then sends Referer: http://www.some-hospital.com/some-medical-condition to facebook.com, along with your Facebook cookies, allowing Facebook to associate your identity with that particular page.
The problem is made worse by the fact that many websites load resources like images and scripts from dozens of third-parties, sending referrer information to all of them, with the typical visitor having no idea that this is happening.
Thanks to a fairly recent development, Referrer Policy, it’s finally possible for websites to tell browsers to not leak referrers. It lets you specify a policy that’s applied to all links clicked, as well as all other requests generated by the page (images, JS, etc.).
A few different policies are offered, such as origin (strips everything except the origin) and origin-when-cross-origin (sends full URL with same-origin requests, otherwise stripped). We recommend no-referrer, which kills the referrer header entirely for all requests, no matter the destination; or same-origin, which kills the referrer for third-party requests but not for requests to the same origin.
A referrer policy can easily be set with a element in your HTML. Simply include this inside the section:
While still a work in progress, Referrer Policy is now supported by all major browsers (except Internet Explorer, although it is supported by Edge, the new browser in Windows 10).
2 Likes
Thanks, this is a good tool!
Here is some code that helps to secure the header (paste it into your htaccess file):
#START HTTP Security Header
#HTTP Content-Types
AddCharset UTF-8 .html
#Public Key Pins
Header set Public-Key-Pins “pin-sha256=“base64+primary==”; pin-sha256=“base64+backup==”; max-age=5184000; includeSubDomains”
#Strict-Transport-Security
Header set Strict-Transport-Security “max-age=31536000; includeSubDomains”
#X-Content-Type-Options
Header always set X-Content-Type-Options “nosniff”
#X-Frame-Options
Header always set X-Frame-Options “SAMEORIGIN”
#X-Xss-Protection
Header always set X-Xss-Protection “1; mode=block”
#Referrer-Policy
Header set Referrer-Policy “strict-origin”
#END HTTP Security Header
1 Like