mirror of https://github.com/yandex/gixy
22 lines
1.2 KiB
Markdown
22 lines
1.2 KiB
Markdown
# [valid_referers] none in valid_referers
|
|
Module [ngx_http_referer_module](http://nginx.org/en/docs/http/ngx_http_referer_module.html) allows to block the access to service for requests with wrong `Referer` value.
|
|
It's often used for setting `X-Frame-Options` header (ClickJacking protection), but there may be other cases.
|
|
|
|
Typical problems with this module's config:
|
|
* use of `server_names` with bad server name (`server_name` directive);
|
|
* too broad and/or bad regexes;
|
|
* use of `none`.
|
|
|
|
> Notice: at the moment, Gixy can only detect the use of `none` as a valid referer.
|
|
|
|
## Why none is bad?
|
|
According to [docs](http://nginx.org/ru/docs/http/ngx_http_referer_module.html#valid_referers):
|
|
> `none` - the “Referer” field is missing in the request header;
|
|
|
|
Still, it's important to remember that any resource can make user's browser to make a request without a `Referer` request header.
|
|
E.g.:
|
|
- in case of redirect from HTTPS to HTTP;
|
|
- by setting up the [Referrer Policy](https://www.w3.org/TR/referrer-policy/);
|
|
- a request with opaque origin, `data:` scheme, for example.
|
|
|
|
So, by using `none` as a valid referer, you nullify any attemps in refferer validation. |