Add Referrer-Policy for html document by default

h5bp/basic.conf

@@ -3,6 +3,7 @@
 
 include h5bp/internet_explorer/x-ua-compatible.conf;
 include h5bp/security/content-security-policy.conf;
+include h5bp/security/referrer-policy.conf.conf;
 include h5bp/security/x-content-type-options.conf;
 include h5bp/security/x-frame-options.conf;
 include h5bp/security/x-xss-protection.conf;

h5bp/security/referrer-policy.conf

@@ -15,4 +15,4 @@
 # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 
-add_header Referrer-Policy "no-referrer-when-downgrade" always;
+add_header Referrer-Policy $referrer_policy always;

nginx.conf

@@ -115,6 +115,12 @@ http {
     text/html "script-src 'self'; object-src 'self'";
   }
 
+  # Add Referrer-Policy for HTML documents.
+  # h5bp/security/referrer-policy.conf.conf
+  map $sent_http_content_type $referrer_policy {
+    text/html "no-referrer-when-downgrade";
+  }
+
   # Add X-UA-Compatible for HTML documents.
   # h5bp/internet_explorer/x-ua-compatible.conf
   map $sent_http_content_type $x_ua_compatible {