Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Referrer-Policy: expand applicable media-types + stricter default #204

Merged
merged 6 commits into from
Jan 3, 2020
Merged

Referrer-Policy: expand applicable media-types + stricter default #204

Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
831f879
Merge pull requests from h5bp/master
Malvoz Nov 11, 2019
c61b33e
Stricter default Referrer-Policy + expand applicable media-types
Malvoz Nov 12, 2019
5d2ec2b
Update Referrer-Policy description
Malvoz Nov 15, 2019
cf1a27d
Update media-types for `Referrer-Policy`
Malvoz Nov 16, 2019
1d18f20
Update `Referrer-Policy` description
Malvoz Nov 16, 2019
0b1f169
Merge branch 'master' into Malvoz-patch-referrer-policy
LeoColomb Jan 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 12 additions & 13 deletions src/security/referrer-policy.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,23 @@
# | Referrer Policy |
# ----------------------------------------------------------------------

# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other
# web sites without leaking the user's session identifier in the URL.
# Set a strict Referrer Policy to mitigate information leakage.
#
# This can be done by setting a `Referrer Policy` which
# whitelists trusted sources of content for your website.
# (1) The `Referrer-Policy` header is included in all responses for
# resources that are able to request other resources. This includes
# the commonly used resource types:
# HTML, XML/SVG, PDF documents, scripts and workers.
#
# To check your referrer policy, you can use an online service
# such as: https://securityheaders.io/.
# To prevent referrer leakage entirely, specify the `no-referrer` value
# instead. Note that the effect could impact analytics metrics negatively.
#
# To check your Referrer Policy, you can use an online service
# such as: https://securityheaders.com/.
Malvoz marked this conversation as resolved.
Show resolved Hide resolved
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

<IfModule mod_headers.c>
# no-referrer-when-downgrade (default)
# This should be the user agent's default behavior if no policy is
# specified.The origin is sent as referrer to a-priori as-much-secure
# destination (HTTPS->HTTPS), but isn't sent to a less secure destination
# (HTTPS->HTTP).
Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
# (1)
Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
</IfModule>