Logs the HTTP Referer (or referrer) header as req_referrer and Origin header as req_origin, helping us track where requests come from. The easiest way to test this is via Postman:
An automated version of this test has also been included. If no referrer is present, the HTTP Origin is used instead.
As mentioned in #1386, we might also need to modify the referrer policy across our webapps in order to properly set the relevant fields. The default referrer policy is:
Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the [Referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) header to less secure destinations (HTTPS→HTTP).
Since the API endpoint is HTTPS, for some webapps these headers are likely to be already set out of the box, but further testing will still be necessary.
Prerequisites:
[x] Unless it is a documentation hotfix it should be merged against the dev branch
[x] Branch is up-to-date with the branch to be merged with, i.e. dev
Related: #1386.
Summary:
Logs the HTTP Referer (or referrer) header as
req_referrer
and Origin header asreq_origin
, helping us track where requests come from. The easiest way to test this is via Postman:This generates the following log string:
An automated version of this test has also been included. If no referrer is present, the HTTP
Origin
is used instead.As mentioned in #1386, we might also need to modify the referrer policy across our webapps in order to properly set the relevant fields. The default referrer policy is:
Since the API endpoint is HTTPS, for some webapps these headers are likely to be already set out of the box, but further testing will still be necessary.
Prerequisites:
dev
branchdev