stricter Referrer-Policy to reduce unintended information leakage

7 years ago · 7edc58b727
parent a4a961639d
commit 7edc58b727
1 changed files with 1 additions and 0 deletions
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@ -11,6 +11,7 @@ module.exports = function (middleware) {
 			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
 			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
 			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
+			'Referrer-Policy': 'strict-origin-when-cross-origin',	// consider using helmet?
 		};

 		if (meta.config['access-control-allow-origin']) {