Skip to content

Commit 43bcb83

Browse files
MalvozLeoColomb
Malvoz
and
LeoColomb
committed
Referrer-Policy: expand applicable media-types + stricter def… (#204)
Co-authored-by: Léo Colombaro <[email protected]>
1 parent d8553ee commit 43bcb83

File tree

1 file changed

+14
-13
lines changed

1 file changed

+14
-13
lines changed

src/security/referrer-policy.conf

+14-13
Original file line numberDiff line numberDiff line change
@@ -2,24 +2,25 @@
22
# | Referrer Policy |
33
# ----------------------------------------------------------------------
44

5-
# A web application uses HTTPS and a URL-based session identifier.
6-
# The web application might wish to link to HTTPS resources on other web
7-
# sites without leaking the user's session identifier in the URL.
5+
# Set a strict Referrer Policy to mitigate information leakage.
86
#
9-
# This can be done by setting a `Referrer Policy` which whitelists trusted
10-
# sources of content for your website.
7+
# (1) The `Referrer-Policy` header is included in responses for resources
8+
# that are able to request (or navigate to) other resources.
119
#
12-
# To check your referrer policy, you can use an online service such as:
13-
# https://securityheaders.io/.
10+
# This includes the commonly used resource types:
11+
# HTML, CSS, XML/SVG, PDF documents, scripts and workers.
12+
#
13+
# To prevent referrer leakage entirely, specify the `no-referrer` value
14+
# instead. Note that the effect could impact analytics metrics negatively.
15+
#
16+
# To check your Referrer Policy, you can use an online service, such as:
17+
# https://securityheaders.com/
18+
# https://observatory.mozilla.org/
1419
#
1520
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
1621
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
1722

1823
<IfModule mod_headers.c>
19-
# no-referrer-when-downgrade (default)
20-
# This should be the user agent's default behavior if no policy is
21-
# specified.The origin is sent as referrer to a-priori as-much-secure
22-
# destination (HTTPS->HTTPS), but isn't sent to a less secure destination
23-
# (HTTPS->HTTP).
24-
Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
24+
# (1)
25+
Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"
2526
</IfModule>

0 commit comments

Comments
 (0)