EIQ-2018-0016#

ID	EIQ-2018-0016 (Former ref.: 25116)
CVE	-
Description	Nginx sends full referrer data
Date	-
Severity	1 - LOW
CVSSv3 score	CVSSv3 score not available on NIST NVD.
Status	✅ 2.7.0
Assessment	When navigating the application, and possibly when navigating to an external URL, the Nginx server includes the Referer header. This could provide a potential attacker with the external IP address, or the internal system name of the application, creating a view of the potential attack surface.
Mitigation	Set the Referrer-Policy header value in Nginx to `same-origin`. `same-origin` is preferable to `no-referrer` because it allows referrer values for local requests. Example: add_header 'Referrer-Policy' 'same-origin'; See also: Referer header: privacy and security concerns A new security header: Referrer Policy
Affected versions	2.3.1 to 2.6.0 included.
Notes	-