Fetching contributors…
Cannot retrieve contributors at this time
22 lines (17 sloc) 1.15 KB

[valid_referers] none in valid_referers

Module ngx_http_referer_module allows to block the access to service for requests with wrong Referer value. It's often used for setting X-Frame-Options header (ClickJacking protection), but there may be other cases.

Typical problems with this module's config:

  • use of server_names with bad server name (server_name directive);
  • too broad and/or bad regexes;
  • use of none.

Notice: at the moment, Gixy can only detect the use of none as a valid referer.

Why none is bad?

According to docs:

none - the “Referer” field is missing in the request header;

Still, it's important to remember that any resource can make user's browser to make a request without a Referer request header. E.g.:

  • in case of redirect from HTTPS to HTTP;
  • by setting up the Referrer Policy;
  • a request with opaque origin, data: scheme, for example.

So, by using none as a valid referer, you nullify any attemps in refferer validation.