5.17 Ensure HTTP Header Referrer-Policy is set appropriately

Information

The server now allows for controlling the amount of 'referrer' information being sent with requests. Limiting information to only what is needed is security best practice.

Rationale:

HTTP/S traffic is vulnerabe to attack - limiting what is sent in a request to only what is needed will limit the threat vector.

Impact:

You must only limit the header information to what is needed to support the request. Limiting it to much may disrupt the ability to get a proper/expected response.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to implement the recommended state:
Add or modify the Header directive for the Referrer-Policy header in the Apache configuration to have the appropriate condition as shown below.

Header set Referrer-Policy "<Directive>"

Default Value:

Referrer-Policy Policy is not set by Default

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-7(8), 800-53|SC-18, CSCv7|9.4, CSCv7|18.2

Plugin: Unix

Control ID: bbf3d3c699ffbd4eca5bfcbc5ec805f9414ac0c51d6674ea3a47f312a14b73a2