Set Referrer-Policy to strict-origin

jelly · jelly · commit cc799ff11127 · 2021-04-12T21:59:46.000+02:00
This does not leak the referrer when going from HTTP to HTTP.
diff --git a/settings.py b/settings.py
@@ -88,7 +88,7 @@
 X_FRAME_OPTIONS = 'DENY'
 
 # Referrer Policy
-SECURE_REFERRER_POLICY = 'no-referrer-when-downgrade'
+SECURE_REFERRER_POLICY = 'strict-origin'
 
 # X-Content-Type-Options, stops browsers from trying to MIME-sniff the content type
 SECURE_CONTENT_TYPE_NOSNIFF = True
