Detected Unsafe referrer policy JS-S1011

The Referrer-policy HTTP header controls the amount of referrer information included in requests. Incorrectly configuring this header can lead to exposure of private data on the referrer's side.

The possible values for this directive can be found here on MDN. The unsafe-url directive sends the origin, path and query string with every request object. This may lead to leakage of private information.

Bad Practice

import helmet from 'helmet'
import express from 'express'

const app = express()
// One of: unsafe-url, no-referrer-when-downgrade 
app.use(helmet.referrerPolicy({ policy: 'unsafe-url' })

Recommended

import helmet from 'helmet'
import express from 'express'

const app = express()
// One of: no-referrer, origin, same-origin, strict-origin, origin-when-cross-origin
app.use(helmet.referrerPolicy({ policy: 'no-referrer' })

References

• OWASP A05:2021 - Security Misconfiguration
• OWASP - HTTP Referrers cheat sheet
• CWE 937