From a4916d7b895f8d9840a0dbff647a66de06bcf6d5 Mon Sep 17 00:00:00 2001 From: "Chinmay D. Pai" Date: Tue, 26 May 2020 10:51:34 +0530 Subject: [PATCH] fix: set referrer-policy header in nginx config sets the "Referrer-Policy" header to "strict-origin-when-cross-origin", with "same-origin" as a fallback setting the referrer policy prevents sharing site context to external links, preventing cross-site hijacking or tab nagging. Signed-off-by: Chinmay D. Pai --- bench/config/templates/nginx.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/bench/config/templates/nginx.conf b/bench/config/templates/nginx.conf index 9df365f3..d5e5109e 100644 --- a/bench/config/templates/nginx.conf +++ b/bench/config/templates/nginx.conf @@ -49,6 +49,7 @@ server { add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin"; location /assets { try_files $uri =404;