Set Referrer Policy

Browsers include a `Referrer` header that identifies where a user came
from when visiting a new page. It's useful in tracking where users are
coming from, but there are some privacy concerns with that. The
`Referrer-Policy` header controls when and how much information is
provided.

- `no-referrer`. Tells the browser to never send the `Referer` header.
- `same-origin`. Send the referrer, but only on requests inside the site
  (e.g. /security-in-the-static-buildpack => /posts)
- `strict-origin`. Send the referrer information to all origins, but
  only the URL sans path (e.g. https://example.com/)
- `strict-origin-when-cross-origin`. Send full referrer information on
  same origin, but only the URL sans path on foreign origin.

`no-referrer` can be used as a fallback for browsers as many of these
options have not yet been implemented at this point.

Author: calebhearth

static.json

@@ -3,6 +3,7 @@
   "headers": {
     "/**": {
       "Content-Security-Policy": "default-src 'self'; script-src https://static.ads-twitter.com https://www.google-analytics.com 'sha256-q2sY7jlDS4SrxBg6oq/NBYk9XVSwDsterXWpH99SAn0='; img-src 'self' https://s3.amazonaws.com https://twitter.com https://pbs.twimg.com; font-src 'self' https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com; frame-ancestors 'none';",
+      "Referrer-Policy": "no-referrer, strict-origin-when-cross-origin",
       "Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload",
       "X-Content-Type-Options": "nosniff",
       "X-Frame-Options": "DENY",