Module ngx_http_referer_module allows to block the access to service for requests with wrong Referer value.
It's often used for setting X-Frame-Options header (ClickJacking protection), but there may be other cases.
Typical problems with this module's config:
- use of
server_nameswith bad server name (server_namedirective); - too broad and/or bad regexes;
- use of
none.
Notice: at the moment, Gixy can only detect the use of
noneas a valid referer.
According to docs:
none- the “Referer” field is missing in the request header;
Still, it's important to remember that any resource can make user's browser to make a request without a Referer request header.
E.g.:
- in case of redirect from HTTPS to HTTP;
- by setting up the Referrer Policy;
- a request with opaque origin,
data:scheme, for example.
So, by using none as a valid referer, you nullify any attemps in refferer validation.