Securing HTTP referer

Question

I develop software which stores files in directories with random names to prevent unauthorized users to download a file.

The first thing we need about this is to store them in a separate top-level domain (to prevent cookie theft).

The second danger is HTTP referer which may reveal the name of the secret directory.

My experiments with Chrome browser shows that HTTP referer is sent only when I click a link in my (secret) file. So the trouble is limited only to files which may contain links (in Chrome HTML and PDF). Can I rely on this behavior (not sending the referer is the next page is opened not from a current (secret) page link but with some other method such as entering the URL directly) for all browsers?

So the problem was limited only to HTML and PDF files. But it is not a complete security solution.

I suspect that we can fully solve this problem by adding Content-Disposition: attachment when serving all our secret files. Will it prevent the HTTP referer?

Also note that I am going to use HTTPS for a man-in-the-middle not to be able to download our secret files.

Answer 1

You can use the Referrer-Policy header to try to control referer behaviour. Please take note that this requires clients to implement this.

Instead of trying to conceal the file location, may I suggest you implement proper authentication and authorization handling?

Answer 2

I agree that Referrer-Policy is your best first step, but as DaSourcerer notes, it is not universally implemented on browsers you may support.

A fully server-side solution is as follows:

• User connects to .../<secret>
• Server generates a one-time token and redirects to .../<token>
• Server provides document and invalidate token

Now the referer will point to .../<token>, which is no longer valid. This has usability trade-offs, however:

• Reloading the page will not work (though you may be able to address this with a cookie or session)
• Users cannot share URL from URL bar, since it's technically invalid (in some cases that could be a minor benefit)

You may be able to get the same basic benefits without the usability trade-offs by doing the same thing with an IFRAME rather than redirecting. I'm not certain how IFRAME influences Referer.

This entire solution is basically just Referer masking done proactively. If you can rewrite the links in the document, then you could instead use Referer masking on the way out. (i.e. rewrite all the links so that they point to https://yoursite.com/redirect/....) Since you mention PDF, I'm assuming that this would be challenging (or that you otherwise do not want to rewrite the document).