4.4.2 Ensure 'preserveFullyQualifiedReferrerUrl' is set to 'false'

Information

Setting the preserveFullyQualifiedReferrerUrl attribute to false ensures that the host for the referrer URL is removed, and that the redirect is to localhost.

Using a fully qualified referrer URL containing the hostname may open your systems to potential URL redirect attacks.

Solution

Set the preserveFullyQualifiedReferrerUrl attribute to false in the webAppSecurity element on ${server.config.dir}/configDropins/overrides/*.xml

<webAppSecurity preserveFullyQualifiedReferrerUrl="false" />

See Also

https://workbench.cisecurity.org/benchmarks/7724

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-31

Plugin: Unix

Control ID: 8f7864e147fa4df2b4fcf8fff07cb16031683e45311626823e78e88d49a325d0