add Referrer-Policy header

defaults/main.yml

@@ -74,6 +74,7 @@ nginx_tls_hsts_enabled: False
 nginx_hsts_options:
   - max-age=63072000
   - includeSubDomains
+  - preload
 
 nginx_xfo_enabled: True
 nginx_xfo_policy: deny
@@ -93,6 +94,9 @@ nginx_xxxsp_parameters:
   - 1
   - mode=block
 
+nginx_rp_enabled: True
+nginx_rp_option: strict-origin
+
 nginx_maps: []
 # @var nginx_maps:example: >
 # nginx_maps:

templates/etc/nginx/conf.d/header.conf.j2

@@ -27,3 +27,9 @@ add_header X-Content-Type-Options nosniff always;
 {% if nginx_xxxsp_enabled %}
 add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
 {% endif %}
+
+# governs which referrer information, sent in the Referer header, should be included with requests made
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+{% if nginx_rp_enabled %}
+add_header Referrer-Policy "{{ nginx_rp_option }}" always;
+{% endif %}