Stricter default for Referrer Policy

Ref: https://github.com/h5bp/server-configs-apache/pull/204
This commit is contained in:
Léo Colombaro 2020-01-03 19:36:51 +01:00
parent 177a5e94a6
commit e0724b8149
No known key found for this signature in database
GPG Key ID: 687B480A6D4F735F
2 changed files with 13 additions and 8 deletions

View File

@ -2,15 +2,20 @@
# | Referrer Policy | # | Referrer Policy |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# A web application uses HTTPS and a URL-based session identifier. # Set a strict Referrer Policy to mitigate information leakage.
# The web application might wish to link to HTTPS resources on other web
# sites without leaking the user's session identifier in the URL.
# #
# This can be done by setting a `Referrer Policy` which whitelists trusted # (1) The `Referrer-Policy` header is included in responses for resources
# sources of content for your website. # that are able to request (or navigate to) other resources.
# #
# To check your referrer policy, you can use an online service such as: # This includes the commonly used resource types:
# https://securityheaders.io/. # HTML, CSS, XML/SVG, PDF documents, scripts and workers.
#
# To prevent referrer leakage entirely, specify the `no-referrer` value
# instead. Note that the effect could impact analytics metrics negatively.
#
# To check your Referrer Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
# #
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

View File

@ -118,7 +118,7 @@ http {
# Add Referrer-Policy for HTML documents. # Add Referrer-Policy for HTML documents.
# h5bp/security/referrer-policy.conf.conf # h5bp/security/referrer-policy.conf.conf
map $sent_http_content_type $referrer_policy { map $sent_http_content_type $referrer_policy {
~*text/html "no-referrer-when-downgrade"; ~*text/html "strict-origin-when-cross-origin";
} }
# Add X-UA-Compatible for HTML documents. # Add X-UA-Compatible for HTML documents.