Skip to main content
Version: v1

Information Disclosure - Sensitive Information in HTTP Referrer Header

Information Disclosure - Referrer Header

What is it?

The HTTP 'Referrer' header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies.

Examples of sensitive information in the 'Referrer' header are parameters with keys like 'user', 'username', 'pass', 'password', 'pwd', 'token', 'ticket', 'session' 'jsessionid', 'sessionid', etc.


Test case FAQs

When is this test case applicable?

This is applicable for all API endpoints when the Baseline security category is enabled in test plans.

How does it work?

Requests sent to the API server are analyzed for the presence of sensitive information in the 'Referrer' header.

What is the solution?

Do not pass sensitive information in URIs that are utilized as a referrer.