CDNs and personally identifiable information in the referer header

Question

I have an application that uses CDNs for jQuery and other libraries. Some pages have URLs that contain slugs with possibly personally identifiable information, for example the URL:

https://mycompany.com/myapp/people/123/kilgore-trout

contains a person's database ID and a slugged version of their name. This may be a confidentiality risk because the URL is sent to the CDN in the request's referer header.

Is this a legitimate concern? If so, is there anything I can do besides not use CDNs?

score 5 · Accepted Answer · answered Nov 06 '14 at 08:51

5

Your concern is right. Client's browser will be leak your query string or url when it try to reach images or external javascript files.

Mitigate can be done via following meta tag.

<meta name="referrer" content="never">

When you put this meta tag into your html, browser wont leak your urls.

Further information : http://w3c.github.io/webappsec/specs/referrer-policy/

answered Nov 06 '14 at 08:51

Mehmet Ince

1,298
9
20

Another good article: http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html – Jamie Ide Nov 06 '14 at 16:43

CDNs and personally identifiable information in the referer header

1 Answers1