summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/csrf.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt
index 802d7251ab..dd5ea479ae 100644
--- a/docs/ref/csrf.txt
+++ b/docs/ref/csrf.txt
@@ -315,7 +315,19 @@ the HOST header <host-headers-virtual-hosting>` and that there aren't any
(because XSS vulnerabilities already let an attacker do anything a CSRF
vulnerability allows and much worse).
+.. admonition:: Removing the ``Referer`` header
+
+ To avoid disclosing the referrer URL to third-party sites, you might want
+ to `disable the referer`_ on your site's ``<a>`` tags. For example, you
+ might use the ``<meta name="referrer" content="no-referrer">`` tag or
+ include the ``Referrer-Policy: no-referrer`` header. Due to the CSRF
+ protection's strict referer checking on HTTPS requests, those techniques
+ cause a CSRF failure on requests with 'unsafe' methods. Instead, use
+ alternatives like ``<a rel="noreferrer" ...>"`` for links to third-party
+ sites.
+
.. _BREACH: http://breachattack.com/
+.. _disable the referer: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery
Caching
=======