The full hackmd url is passed as part of the Referer header of the request body to embedded content (for example images). This is a big security problem as it means that the potetentially secret, but public url is leaked to third parties.
This could be solved by setting the Referrer-Policy header, for example:
Referrer-Policy: strict-origin-when-cross-origin
Embedded https content from third parties would still receive the origin ("hackmd.something.org"), as they might want to know where traffic is originating from, but not the full url ("hackmd.something.org/MYFmAYGYHZIEwLQCMCcAAsfhaWAHMAihgIzQICGZee4ASfsQA"). Embedded http content would not receive any referrer information.
It might be a good idea to set some other headers as well, as suggested by the securityheaders.io scan.
They recommend these values (I did not cross-check them!):
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN //debatable, I can imagine a lot of cases in which people might want to embedded hackmd documents in an iframe
The full hackmd url is passed as part of the
Refererheader of the request body to embedded content (for example images). This is a big security problem as it means that the potetentially secret, but public url is leaked to third parties.This could be solved by setting the
Referrer-Policyheader, for example:Embedded https content from third parties would still receive the origin ("hackmd.something.org"), as they might want to know where traffic is originating from, but not the full url ("hackmd.something.org/MYFmAYGYHZIEwLQCMCcAAsfhaWAHMAihgIzQICGZee4ASfsQA"). Embedded http content would not receive any referrer information.
It might be a good idea to set some other headers as well, as suggested by the securityheaders.io scan.
They recommend these values (I did not cross-check them!):