Set referrer policy to avoid leaking URL auth params

pimterry · pimterry · commit a1dd4abbfc18 · 2024-04-08T14:42:11.000+02:00
We're only leaking these to ourselves (strict-origin-when-cross-origin
is the default, which is equivalent to this for connections elsewhere)
and the auth token is only useful if you can access the local-only
CORS-blocked local admin port, but it's still a good idea not to let it
leave the machine.
diff --git a/Caddyfile b/Caddyfile
@@ -16,5 +16,7 @@
     header @get Cache-Control "public, max-age=60, stale-while-revalidate=600, stale-if-error=86400"
 
     header Content-Security-Policy "frame-ancestors 'none'"
+    header Referrer-Policy "strict-origin"
+
     header X-Clacks-Overhead "GNU Terry Pratchett" # https://xclacksoverhead.org
 }

Original file line number	Diff line number	Diff line change
`@@ -16,5 +16,7 @@`
`16`	`16`	`header @get Cache-Control "public, max-age=60, stale-while-revalidate=600, stale-if-error=86400"`
`17`	`17`
`18`	`18`	`header Content-Security-Policy "frame-ancestors 'none'"`
	`19`	`+ header Referrer-Policy "strict-origin"`
	`20`	`+`
`19`	`21`	`header X-Clacks-Overhead "GNU Terry Pratchett" # https://xclacksoverhead.org`
`20`	`22`	`}`