• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • FLoC or Federated Learning of Cohorts is a recent rollout by Google to replace third-party cookies with their own user surveillance built-in browser itself.

    This is essentially a built-in Chrome browser itself and privacy concerned people can switch to another privacy concerned browser to avoid being tracked. But website owners can also opt-out of FLoC by making some simple modifications in their web server HTTP response header.

    I would suggest checking out this Google and GitHub page to learn more about FLoC.

    In this article, we’ll cover ways that you as a website owner can use to opt-out of FLoC by simple configuration change in web servers.

    Custom HTTP Header

    A custom HTTP response header ensures that the website owner is opting out of FLoC. The response header for this is:

    Permissions-Policy: interest-cohort=()

    Let’s see the implementation.

    NGINX

    For NGINX, you need to add add_header directive within each server block (if a single configuration file is being used for multiple websites) or to each respective server configuration file.

    server {
        location / {
          add_header Permissions-Policy interest-cohort=();
        ...
        }
    }

    And then restart NGINX service:

    systemctl restart nginx

    Alternatively, you can follow another approach by adding the below in the http block.

    add_header Permissions-Policy "interest-cohort=()";

    It would look like below in HTTP response headers.

    HTTP/1.1 200 OK
    Server: nginx/1.14.1
    Date: Fri, 30 Apr 2021 06:37:02 GMT
    Content-Type: text/html
    Content-Length: 4057
    Last-Modified: Mon, 07 Oct 2019 21:16:24 GMT
    Connection: keep-alive
    ETag: "5d9bab28-fd9"
    Permissions-Policy: interest-cohort=()
    Accept-Ranges: bytes

    Apache

    For Apache web server, add the custom header in your configuration file as:

    <IfModule mod_headers.c>
      Header always set Permissions-Policy: interest-cohort=()
    </IfModule>

    Then restart Apache to make it effective:

    systemctl restart httpd

    Which will have an output like below.

    HTTP/1.1 200 OK
    Date: Fri, 30 Apr 2021 06:49:58 GMT
    Server: Apache/2.4.37 (centos)
    Permissions-Policy: interest-cohort=()
    Last-Modified: Thu, 29 Apr 2021 06:40:41 GMT
    ETag: "3-5c116c620a6f1"
    Accept-Ranges: bytes
    Content-Length: 3
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8

    WordPress

    If your WordPress is shared hosting, you won’t have the option to edit the webserver configuration file. But good news is, you can set headers in its codebase via hooks. In your active theme’s function.php, add the following lines at the end:

    add_filter(
    	'wp_headers',
    	function ( $headers ) {
    		if ( empty( $headers['Permissions-Policy'] ) ) {
    			$headers['Permissions-Policy'] = 'interest-cohort=()';
    		} elseif (
    			! empty( $headers['Permissions-Policy'] )
    			&& false === strpos( $headers['Permissions-Policy'], 'interest-cohort' )
    		) {
    			$headers['Permissions-Policy'] .= ', interest-cohort=()';
    		}
    
    		return $headers;
    	}
    );

    Save the file in the WordPress admin backend and the header should be pushed in all new requests. Make sure to clear cache in its mechanism/plugin to make the new header effective.

    Here is how my implementation output looks like.

    cache-control: no-cache, must-revalidate, max-age=0
    content-encoding: br
    content-type: text/html; charset=UTF-8
    date: Fri, 30 Apr 2021 13:40:14 GMT
    expires: Wed, 11 Jan 1984 05:00:00 GMT
    host-header: 6b7412fb82ca5edfd0917e3957f05d89
    link: <https://geekflaresg.com/wp-json/>; rel="https://api.w.org/"
    permissions-policy: interest-cohort=()
    server: nginx
    set-cookie: wpSGCacheBypass=1; expires=Fri, 30-Apr-2021 15:20:14 GMT; Max-Age=6000; path=/; HttpOnly; SameSite=Lax
    vary: Accept-Encoding
    x-cache-enabled: True
    x-httpd: 1
    x-proxy-cache: BYPASS
    x-proxy-cache-info: 0 NC:100000 UP:SKIP_CACHE_SET_COOKIE

    Another easy solution would be to use the HTTP Headers plugin.

    HAProxy

    HAProxy allows adding the header directive in its configuration. In frontend, listen or backend section of the configuration (whichever applicable), add the following directive:

    http-response set-header Permissions-Policy interest-cohort=()

    Make sure to restart your HAProxy server as:

    systemctl restart haproxy

    This will make the header effective for all new requests.

    Traefik

    Traefik, mostly used as an ingress controller for the containerized environment, can be configured to opt out of FLoC similar to the above servers. In your traefik.toml file, add the following lines:

    [http.middlewares]
      [http.middlewares.floc.headers]
        [http.middlewares.floc.headers.customResponseHeaders]
            Permissions-Policy = "interest-cohort=()"

    Or for YAML based configuration (traefik.yml) use:

    http:
      middlewares:
        floc:
          headers:
            customResponseHeaders:
              Permissions-Policy: "interest-cohort=()"

    Or if using Traefik with Docker, modify the traefik label in docker-compose.yml as:

    labels:
      - "traefik.http.middlewares.floc.headers.customresponseheaders.Permissions-Policy=interest-cohort=()"

    Summary

    FLoC is a new surveillance mechanism and if you don’t want to show an interest-based advertisement on your website, you can opt-out by implementing Permissions Policy headers as explained above. As a user, you can check out this dedicated page (Am I FloCed?) to see if you’re being tracked with FLoC.