Referer ヘッダーのプライバシーとセキュリティの考慮事項

HTTP の Referer ヘッダーにまつわるプライバシーとセキュリティのリスクがあります。この記事ではこれらを説明し、これらのリスクを回避するためのアドバイスを提案します。

リファラー問題

Referer (綴りに注意) ヘッダーには現在リクエストされているページへのリンクをたどる元のウェブページのアドレスが含まれています。これには、分析、ログ、キャッシュの最適化など、問題のない用途がかなりあります。しかし、情報の追跡や盗用など、もっと問題になる用途や、誤って機密情報を漏らすなどの副作用もあります。

例えば、フッターあるソーシャルメディアの「パスワードリセット」ページへのリンクを想像してみてください。リンクをクリックすると、情報を共有する方法によっては、ソーシャルメディアサイトがパスワードをリセットする URL を受け取り、共有された情報が使用されると、ユーザーのセキュリティを侵害する恐れがあります。

By the same logic, an image hosted on a third party side but embedded in your page could result in sensitive information being leaked to the third party. Even if security is not compromised, the information may not be something the user wants shared.

どのように対処できるか

Much of this risk can be mitigated by sensible design of applications. A sensible application would remove such risks by making password reset URLs only usable for a single use, or when combined with a unique user token, and transmitting sensitive data in different ways.

You should use POST rather than GET wherever possible, to avoid passing sensitive data to other locations via URLs.

You should always use HTTPS for your sites. This has many security advantages, inclusing the fact that HTTPS sites will never transmit referer information to non-HTTPS sites. This is becoming less useful in this context now that most of the web is using HTTPS, but it is still a worthy consideration.

In addition, you should consider removing any third party content (e.g. social networking widgets embedded in <iframe>) from secure areas of your website, like password reset pages, payment forms, login areas, etc.

You can also mitigate such risks using:

  • The Referrer-Policy header on your server to control what information is sent through the Referer header. Again, a directive of no-referrer would omit the Referer header entirely.
  • The referrerpolicy attribute on HTML elements that are in danger of leaking such information (such as <img> and <a>). This can 例えば、be set to no-referrer to stop the Referer header being sent altogether.
  • The rel attribute set to noreferrer on HTML elements that are in danger of leaking such information (such as <img> and <a>). See Link types and search for noreferrer for more information.
  • The Exit page technique.

Security-conscious server-side frameworks tend to have built in mitigations for such problems, 例えば、:

Policy and requirements

It would make sense to write a set of security and privacy requirements for your project team(s) that specify usage of such features to mitigate the associated risks. You should enlist the help of a web security expert to write these requirements, and consider both user needs and welfare, as well as other issues like policy and regulation enforced by legislation such as the EU General Data Protection Regulation (GDPR).

関連情報