From d195fbfbafa0f6e9c3f4969243c8de6e87af761d Mon Sep 17 00:00:00 2001
From: Alex Norden <alex.norden@gmail.com>
Date: Tue, 4 Dec 2018 13:33:02 +0000
Subject: [PATCH] Update security.conf

Added new Referrer-policy header required for A rating. Commented on Feature policy being required in the future.
---
 global/server/security.conf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/global/server/security.conf b/global/server/security.conf
index 9b7d487..5c040aa 100644
--- a/global/server/security.conf
+++ b/global/server/security.conf
@@ -16,4 +16,9 @@ add_header X-Xss-Protection "1; mode=block" always;
 # Whitelist sources which are allowed to load assets (JS, CSS, etc). The following will block
 # only none HTTPS assets, but check out https://scotthelme.co.uk/content-security-policy-an-introduction/
 # for an in-depth guide on creating a more restrictive policy.
-# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
\ No newline at end of file
+# add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
+
+#To get a minimal A rating, add header  Referrer-Policy. Consider adding Feature-Policy. Commented out by default. 
+#Referer policy  - see for more info https://scotthelme.co.uk/a-new-security-header-referrer-policy/ 
+#Feature policy - see for more info https://scotthelme.co.uk/a-new-security-header-feature-policy/
+#add_header 'Referrer-Policy' 'origin';