Other browser security headers and controls

The web is an evolving standard. As such, new security controls would be introduced. We should keep an eye on them! Embrace and prepare for privacy, feature controls, and future headers such as Referrer-Policy, Feature-Policy, Origin-Policy, Integrity, Accept-CH, Clear-Site-Data.

We'll cover the following

Referrer-Policy
Feature-Policy
Summary

As the web evolves, it creates new standards for us to adopt. This also applies to new HTTP headers. We will quickly review a bunch of them here as a first step in establishing familiarity with a wider range of headers.

Referrer-Policy

Embrace and prepare for privacy-related policies using Referrer-Policy, which instructs the browser when and how much information to provide when setting a Referer header as users navigate from an existing web page.

Some example values for Referrer Policy are:

Referrer-Policy: no-referrer
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin

The default value set by the browser is no-referrer-when-downgrade. However, a better option would be one of the strict-origin options, such as strict-origin-when-cross-origin. That setting ensures that complete referrer information is sent when requests are kept to the same origin and so are bound to the same web application context. Then only sending the origin (not the full path) to any requests that are kept within the same secure HTTPS level, and nothing otherwise.

The browser support matrix as to the date of writing this is as follows:

Get hands-on with 1400+ tech skills courses.

Introduction

HTTP Security Headers

Testing for Security Headers

What's Next?

Other browser security headers and controls

Referrer-Policy