0ct0pu5/FluxBB_by_Visman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update Referrer-Policy

Browse source 
Change origin-when-cross-origin to strict-origin-when-cross-origin.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
This commit is contained in:
Visman 2021-03-13 00:19:35 +07:00
parent c66474f6a5
commit 951ca0afdf
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.dist.htaccess
View file

@ -12,7 +12,7 @@ AddDefaultCharset UTF-8
#
Header always set Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"
Header always set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" "expr=-z %{resp:Feature-Policy}"
Header always set Referrer-Policy "origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
# for https only mode
# Header set Strict-Transport-Security "max-age=31536000" "expr=-z %{resp:Strict-Transport-Security}"
Header always set X-Content-Type-Options "nosniff" "expr=-z %{resp:X-Content-Type-Options}"

2
nginx.dist.conf
View file

@ -13,7 +13,7 @@ server {
add_header Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" always;
add_header Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" always;
add_header Referrer-Policy "origin-when-cross-origin" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# add_header Strict-Transport-Security "max-age=31536000" always; # for https only
add_header X-Content-Type-Options "nosniff" always;
# add_header X-Frame-Options "DENY" always; # fluxbb set this header, in nginx it is difficult to combine headers from two sources