From 0a12006d32cfefa513ff4cb6d6fecf80d668ae48 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Tue, 8 Aug 2017 00:37:05 -0400
Subject: [PATCH] Referrer-Policy header

---
 util/Setup/Program.cs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/util/Setup/Program.cs b/util/Setup/Program.cs
index ae07d129b6..5401fe08b7 100644
--- a/util/Setup/Program.cs
+++ b/util/Setup/Program.cs
@@ -117,7 +117,7 @@ server {{
     # Headers
 
     # X-Frame-Options is to prevent from clickJacking attack
-    #add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Frame-Options SAMEORIGIN;
 
     # disable content-type sniffing on some browsers.
     add_header X-Content-Type-Options nosniff;
@@ -125,8 +125,13 @@ server {{
     # This header enables the Cross-site scripting (XSS) filter
     add_header X-XSS-Protection ""1; mode=block"";
 
-    # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
-    #add_header Strict-Transport-Security max-age=15768000;");
+    # This header controls what referrer information is shared
+    add_header Referrer-Policy same-origin;
+
+    # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
+    add_header Strict-Transport-Security max-age=15768000;
+
+    # Content-Security-Policy is set via meta tag on the website so it is not included here");
                 }
 
                 sw.WriteLine($@"