diff --git a/h5bp/security/referrer-policy.conf b/h5bp/security/referrer-policy.conf index 7233e29e..d978a369 100644 --- a/h5bp/security/referrer-policy.conf +++ b/h5bp/security/referrer-policy.conf @@ -2,15 +2,20 @@ # | Referrer Policy | # ---------------------------------------------------------------------- -# A web application uses HTTPS and a URL-based session identifier. -# The web application might wish to link to HTTPS resources on other web -# sites without leaking the user's session identifier in the URL. +# Set a strict Referrer Policy to mitigate information leakage. # -# This can be done by setting a `Referrer Policy` which whitelists trusted -# sources of content for your website. +# (1) The `Referrer-Policy` header is included in responses for resources +# that are able to request (or navigate to) other resources. # -# To check your referrer policy, you can use an online service such as: -# https://securityheaders.io/. +# This includes the commonly used resource types: +# HTML, CSS, XML/SVG, PDF documents, scripts and workers. +# +# To prevent referrer leakage entirely, specify the `no-referrer` value +# instead. Note that the effect could impact analytics metrics negatively. +# +# To check your Referrer Policy, you can use an online service, such as: +# https://securityheaders.com/ +# https://observatory.mozilla.org/ # # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy diff --git a/nginx.conf b/nginx.conf index 854bbe9e..94a4b0aa 100644 --- a/nginx.conf +++ b/nginx.conf @@ -118,7 +118,7 @@ http { # Add Referrer-Policy for HTML documents. # h5bp/security/referrer-policy.conf.conf map $sent_http_content_type $referrer_policy { - ~*text/html "no-referrer-when-downgrade"; + ~*text/html "strict-origin-when-cross-origin"; } # Add X-UA-Compatible for HTML documents.