[FEATURE] Add Referrer-Policy template (#130)

* [FEATURE] Add Referrer-Policy template * Update referrer-policy.conf - remove syntax examples - remove colon, use quotation marks instead - fix description block
h5bp · Mar 14, 2018 · 591083e · 591083e
1 parent 82bb5c4
commit 591083e
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/src/security/referrer-policy.conf b/src/security/referrer-policy.conf
@@ -0,0 +1,36 @@
+# ----------------------------------------------------------------------
+# | Referrer Policy                                                    |
+# ----------------------------------------------------------------------
+
+# A web application uses HTTPS and a URL-based session identifier.
+# The web application might wish to link to HTTPS resources on other
+# web sites without leaking the user's session identifier in the URL.
+#
+# This can be done by setting a `Referrer Policy` which
+# whitelists trusted sources of content for your website.
+#
+# To check your referrer policy, you can use an online service
+# such as: https://securityheaders.io/.
+#
+# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+
+<IfModule mod_headers.c>
+
+    # no-referrer-when-downgrade (default)
+    # This should be the user agent's default behavior if no policy is
+    # specified.The origin is sent as referrer to a-priori as-much-secure
+    # destination (HTTPS->HTTPS), but isn't sent to a less secure destination
+    # (HTTPS->HTTP).
+
+    Header set Referrer-Policy "no-referrer-when-downgrade"
+
+    # `mod_headers` cannot match based on the content-type, however,
+    # the `Referrer-Policy` response header should be send
+    # only for HTML documents and not for the other resources.
+
+    <FilesMatch "\.(%FilesMatchPattern%)$">
+        Header unset Referrer-Policy
+    </FilesMatch>
+
+</IfModule>