Skip to content

Commit

Permalink
Stricter default for Referrer Policy
Browse files Browse the repository at this point in the history
  • Loading branch information
LeoColomb committed Jan 3, 2020
1 parent 177a5e9 commit e0724b8
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
19 changes: 12 additions & 7 deletions h5bp/security/referrer-policy.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,20 @@
# | Referrer Policy |
# ----------------------------------------------------------------------

# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other web
# sites without leaking the user's session identifier in the URL.
# Set a strict Referrer Policy to mitigate information leakage.
#
# This can be done by setting a `Referrer Policy` which whitelists trusted
# sources of content for your website.
# (1) The `Referrer-Policy` header is included in responses for resources
# that are able to request (or navigate to) other resources.
#
# To check your referrer policy, you can use an online service such as:
# https://securityheaders.io/.
# This includes the commonly used resource types:
# HTML, CSS, XML/SVG, PDF documents, scripts and workers.
#
# To prevent referrer leakage entirely, specify the `no-referrer` value
# instead. Note that the effect could impact analytics metrics negatively.
#
# To check your Referrer Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Expand Down
2 changes: 1 addition & 1 deletion nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ http {
# Add Referrer-Policy for HTML documents.
# h5bp/security/referrer-policy.conf.conf
map $sent_http_content_type $referrer_policy {
~*text/html "no-referrer-when-downgrade";
~*text/html "strict-origin-when-cross-origin";
}

# Add X-UA-Compatible for HTML documents.
Expand Down

0 comments on commit e0724b8

Please sign in to comment.