HCL Commerce Version 9.1.20.0 or later

Enabling the Referrer-Policy header

You can configure the Referrer-Policy header settings to control how much referrer information (sent via the Referer header) should be included with requests made from your site. This header helps protect user privacy by limiting the information leaked to external sites when users navigate away from your pages.

About this task

Use these instructions to understand and customize the Referrer-Policy header for your HCL Commerce server responses using the wc-component.xml configuration file.

Note: The Referrer-Policy header is enabled by default starting from the HCL Commerce 9.1.20 release.

Procedure

  1. The Transaction Server's HttpSecurityFilter class adds the Referrer-Policy header based on the configuration specified in the wc-component.xml configuration file. The Referrer-Policy header has an active value configured at the application level. It is enabled by default for the REST WAR (HttpSecuritySettings_Rest) as follows: 
         <_config:configgrouping name="HttpSecuritySettings_Rest">
            <!--
                Set the value of the Referrer-Policy header. The recommended value is
                "strict-origin-when-cross-origin". It sends the origin, path, and query
                string when performing a same-origin request. For cross-origin requests,
                it sends the origin (only) when the protocol security level stays the same
                (HTTPS to HTTPS). It does not send the Referer header to less secure
                destinations (HTTPS to HTTP). Specifying an empty value will disable this
                header.
            -->
            <_config:property name="Referrer-PolicyHeader" value="strict-origin-when-cross-origin"/>
        </_config:configgrouping>
  2. Set one of the available Referrer-Policy values.
    The following table lists all valid values for the Referrer-Policy header:
    Value Description
    no-referrer The Referrer header is omitted entirely. No referrer information is sent with requests.
    no-referrer-when-downgrade Sends the origin, path, and query string when the protocol security level stays the same or improves (HTTP>HTTP, HTTP>HTTPS, HTTPS>HTTPS). Does not send to less secure destinations (HTTPS>HTTP).
    origin Sends only the origin (scheme, host, and port) in the Referer header.
    origin-when-cross-origin Sends the full URL for same-origin requests, but only the origin for cross-origin requests.
    same-origin Sends the full URL for same-origin requests. Does not send the Referer header for cross-origin requests.
    strict-origin Sends only the origin when the protocol security level stays the same (HTTPS>HTTPS). Does not send to less secure destinations.
    strict-origin-when-cross-origin (RECOMMENDED) Sends the full URL forsame-origin requests. For cross-origin requests, sends only the origin when the protocol security level stays the same. Does not send to less secure destinations.
    unsafe-url (NOT RECOMMENDED) Sends the full URL regardless of security. Not recommended as it leaks potentially sensitive information.
  3. To disable the Referrer-Policy header, set the value to empty in your wc-component.xml configuration file: 
           <_config:configgrouping name="HttpSecuritySettings_Rest">
            <_config:property name="Referrer-PolicyHeader" value=""/>
        </_config:configgrouping>