From 57217a7f0847e899b24a6e56af3127d818c7431b Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 20 May 2021 23:58:24 +0200 Subject: [PATCH] add Referrer-Policy header --- defaults/main.yml | 4 ++++ templates/etc/nginx/conf.d/header.conf.j2 | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index f31b0ab..585a13d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -74,6 +74,7 @@ nginx_tls_hsts_enabled: False nginx_hsts_options: - max-age=63072000 - includeSubDomains + - preload nginx_xfo_enabled: True nginx_xfo_policy: deny @@ -93,6 +94,9 @@ nginx_xxxsp_parameters: - 1 - mode=block +nginx_rp_enabled: True +nginx_rp_option: strict-origin + nginx_maps: [] # @var nginx_maps:example: > # nginx_maps: diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2 index 6560a84..9137a53 100644 --- a/templates/etc/nginx/conf.d/header.conf.j2 +++ b/templates/etc/nginx/conf.d/header.conf.j2 @@ -27,3 +27,9 @@ add_header X-Content-Type-Options nosniff always; {% if nginx_xxxsp_enabled %} add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always; {% endif %} + +# governs which referrer information, sent in the Referer header, should be included with requests made +# https://owasp.org/www-project-secure-headers/#referrer-policy +{% if nginx_rp_enabled %} +add_header Referrer-Policy "{{ nginx_rp_option }}" always; +{% endif %}