diff --git a/src/security/referrer-policy.conf b/src/security/referrer-policy.conf index e27613a0..08bf70f4 100644 --- a/src/security/referrer-policy.conf +++ b/src/security/referrer-policy.conf @@ -2,24 +2,25 @@ # | Referrer Policy | # ---------------------------------------------------------------------- -# A web application uses HTTPS and a URL-based session identifier. -# The web application might wish to link to HTTPS resources on other web -# sites without leaking the user's session identifier in the URL. +# Set a strict Referrer Policy to mitigate information leakage. # -# This can be done by setting a `Referrer Policy` which whitelists trusted -# sources of content for your website. +# (1) The `Referrer-Policy` header is included in responses for resources +# that are able to request (or navigate to) other resources. # -# To check your referrer policy, you can use an online service such as: -# https://securityheaders.io/. +# This includes the commonly used resource types: +# HTML, CSS, XML/SVG, PDF documents, scripts and workers. +# +# To prevent referrer leakage entirely, specify the `no-referrer` value +# instead. Note that the effect could impact analytics metrics negatively. +# +# To check your Referrer Policy, you can use an online service, such as: +# https://securityheaders.com/ +# https://observatory.mozilla.org/ # # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy - # no-referrer-when-downgrade (default) - # This should be the user agent's default behavior if no policy is - # specified.The origin is sent as referrer to a-priori as-much-secure - # destination (HTTPS->HTTPS), but isn't sent to a less secure destination - # (HTTPS->HTTP). - Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i" + # (1) + Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"