From 714504618c19bbdb8e160a2fc8c9cda32ec4ce76 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Mon, 12 Feb 2018 01:29:58 +0100 Subject: [PATCH] Add referrer policy This commit adds a referrer policy to all requests. The usage of `same-origin` allows HackMD to still interpret all requests and this way not break anything. But it prevents 3rd party scripts, pictures and more to get informations that may lead to not secured note. It has to be mentioned that this maybe breaks some features of the Google Analytics embedding. This has to be tested. Fixes #724 Signed-off-by: Sheogorath --- app.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app.js b/app.js index b7d493e04..0db65e947 100644 --- a/app.js +++ b/app.js @@ -110,6 +110,13 @@ if (config.hsts.enable) { logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') } +// Add referrer policy to improve privacy +app.use( + helmet.referrerPolicy({ + policy: 'same-origin' + }) +) + // Generate a random nonce per request, for CSP with inline scripts app.use(csp.addNonceToLocals)