From 57217a7f0847e899b24a6e56af3127d818c7431b Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Thu, 20 May 2021 23:58:24 +0200
Subject: [PATCH] add Referrer-Policy header

---
 defaults/main.yml                         | 4 ++++
 templates/etc/nginx/conf.d/header.conf.j2 | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index f31b0ab..585a13d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -74,6 +74,7 @@ nginx_tls_hsts_enabled: False
 nginx_hsts_options:
   - max-age=63072000
   - includeSubDomains
+  - preload
 
 nginx_xfo_enabled: True
 nginx_xfo_policy: deny
@@ -93,6 +94,9 @@ nginx_xxxsp_parameters:
   - 1
   - mode=block
 
+nginx_rp_enabled: True
+nginx_rp_option: strict-origin
+
 nginx_maps: []
 # @var nginx_maps:example: >
 # nginx_maps:
diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2
index 6560a84..9137a53 100644
--- a/templates/etc/nginx/conf.d/header.conf.j2
+++ b/templates/etc/nginx/conf.d/header.conf.j2
@@ -27,3 +27,9 @@ add_header X-Content-Type-Options nosniff always;
 {% if nginx_xxxsp_enabled %}
 add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
 {% endif %}
+
+# governs which referrer information, sent in the Referer header, should be included with requests made
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+{% if nginx_rp_enabled %}
+add_header Referrer-Policy "{{ nginx_rp_option }}" always;
+{% endif %}