[valid_referers] none in valid_referers
Module ngx_http_referer_module allows to block the access to service for requests with wrong
It's often used for setting
X-Frame-Options header (ClickJacking protection), but there may be other cases.
Typical problems with this module's config:
- use of
server_nameswith bad server name (
- too broad and/or bad regexes;
- use of
Notice: at the moment, Gixy can only detect the use of
noneas a valid referer.
Why none is bad?
According to docs:
none- the “Referer” field is missing in the request header;
Still, it's important to remember that any resource can make user's browser to make a request without a
Referer request header.
- in case of redirect from HTTPS to HTTP;
- by setting up the Referrer Policy;
- a request with opaque origin,
data:scheme, for example.
So, by using
none as a valid referer, you nullify any attemps in refferer validation.