enabled: true,
sts: false,
sts_max_age: 31_536_000,
- ct_max_age: 2_592_000
+ ct_max_age: 2_592_000,
+ referrer_policy: "same-origin"
config :cors_plug,
max_age: 86_400,
* ``sts``: Whether to additionally send a `Strict-Transport-Security` header
* ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent
* ``ct_max_age``: The maximum age for the `Expect-CT` header if sent
+* ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`.
end
defp headers do
+ referrer_policy = Config.get([:http_security, :referrer_policy])
+
[
{"x-xss-protection", "1; mode=block"},
{"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"},
- {"referrer-policy", "same-origin"},
+ {"referrer-policy", referrer_policy},
{"x-download-options", "noopen"},
{"content-security-policy", csp_string() <> ";"}
]
assert Conn.get_resp_header(conn, "strict-transport-security") == []
assert Conn.get_resp_header(conn, "expect-ct") == []
end
+
+ test "referrer-policy header reflects configured value", %{conn: conn} do
+ conn =
+ conn
+ |> get("/api/v1/instance")
+
+ assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
+
+ Config.put([:http_security, :referrer_policy], "no-referrer")
+
+ conn =
+ build_conn()
+ |> get("/api/v1/instance")
+
+ assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
+ end
end