Clever Geek Handbook

HTTP referrer protection

I am developing software that stores files in directories with random names to prevent unauthorized access to download the file.

The first thing we need to do is store them in a separate top-level domain (to prevent theft of cookies).

The second danger is an HTTP referent that can display the name of the secret directory.

My experiments with the Chrome browser show that the HTTP referent is only sent when a link in my (secret) file is clicked. So the problem is only limited to files that can contain links (in HTML and PDF in HTML format). Can I rely on this behavior (without sending a referent, the next page is not opened from the current (secret) link to the page, but by some other method such as entering a URL) for all browsers?

So the problem was limited to HTML and PDF files only. But this is not a complete security solution.

I suspect that we can completely fix this problem by adding Content-Disposition: attachment

in all our secret files when serving. Will this hinder the HTTP referrer?

Also note that I am going to use HTTPS for the man in the middle to avoid downloading our secret files.

+3


source to share


2 answers


You can use a title Referrer-Policy

to try and control the behavior of the referrer. Please note that this requires customers.



Rather than hiding the location of the file, may I suggest that you do the correct authentication and authorization?

+1


source


I agree that Referrer-Policy

is your best first step, but as DaSourcerer points out, it is not universally implemented in browsers you can support.

A completely server-side solution looks like this:

  • User connects to .../<secret>

  • The server generates a one-time token and redirects it to .../<token>

  • Server provides document and invalid token

The referent will now point to .../<token>

which is no longer valid. However, this has a usability tradeoff:



  • Reloading the page won't work (although you can access it using a cookie or session)
  • Users cannot pass the url from the url string as this is not technically valid (this may be a minor benefit in some cases)

You can get the same basic benefits without any compromise in usage by doing the same with IFRAME

rather than redirecting. I'm not sure how IFRAME

Referer is affected.

This whole solution basically just masks the Referer, proactively. If you can rewrite the links in the document, then you can use Referer masking instead. (i.e. rewrite all links so that they point to https://yoursite.com/redirect/....

). Since you mention PDF, I assume it will be difficult (or that you would not otherwise want to rewrite the document).

+1


source






More articles:


All Articles