Description

This publicly exposed API endpoint was found responding with HTML or browser-rendered content and lacks the Referrer-Policy header. Setting this header prevents leaking sensitive URL data (tokens, IDs, parameters) if requests go to external domains.

Remediation

Add the Referrer-Policy header to prevent leaking URL information if the content is rendered:

Example header values:

# If your site makes no use of referrer
Referrer-Policy: no-referrer

# Alternatively use this if referrer can be utilized by your app
Referrer-Policy: strict-origin-when-cross-origin