From f600128203e6319d6f3ce02e2538bf65b0ed01ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Wed, 13 Feb 2019 14:31:53 +0100 Subject: [PATCH] Add Referrer-Policy for html document by default --- h5bp/basic.conf | 1 + h5bp/security/referrer-policy.conf | 2 +- nginx.conf | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/h5bp/basic.conf b/h5bp/basic.conf index 24bd863..b8bd24a 100644 --- a/h5bp/basic.conf +++ b/h5bp/basic.conf @@ -3,6 +3,7 @@ include h5bp/internet_explorer/x-ua-compatible.conf; include h5bp/security/content-security-policy.conf; +include h5bp/security/referrer-policy.conf.conf; include h5bp/security/x-content-type-options.conf; include h5bp/security/x-frame-options.conf; include h5bp/security/x-xss-protection.conf; diff --git a/h5bp/security/referrer-policy.conf b/h5bp/security/referrer-policy.conf index 58136e8..3b85f5c 100644 --- a/h5bp/security/referrer-policy.conf +++ b/h5bp/security/referrer-policy.conf @@ -15,4 +15,4 @@ # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy -add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Referrer-Policy $referrer_policy always; diff --git a/nginx.conf b/nginx.conf index 3ea3dd4..3655b8c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -115,6 +115,12 @@ http { text/html "script-src 'self'; object-src 'self'"; } + # Add Referrer-Policy for HTML documents. + # h5bp/security/referrer-policy.conf.conf + map $sent_http_content_type $referrer_policy { + text/html "no-referrer-when-downgrade"; + } + # Add X-UA-Compatible for HTML documents. # h5bp/internet_explorer/x-ua-compatible.conf map $sent_http_content_type $x_ua_compatible {