Add referrer policy

This commit adds a referrer policy to all requests. The usage of `same-origin` allows HackMD to still interpret all requests and this way not break anything. But it prevents 3rd party scripts, pictures and more to get informations that may lead to not secured note. It has to be mentioned that this maybe breaks some features of the Google Analytics embedding. This has to be tested. Fixes #724 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2018-02-12 01:29:58 +0100
committer: Sheogorath 2018-02-12 01:59:48 +0100
commit: 714504618c19bbdb8e160a2fc8c9cda32ec4ce76 (patch)
tree: f4c3b59ac82599148883da0d35bb0a2ed491199e /app.js
parent: bb5e021f201c8ad83fe2736dee0faef123bfca50 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/app.js b/app.js
index b7d493e0..0db65e94 100644
--- a/app.js
+++ b/app.js
@@ -110,6 +110,13 @@ if (config.hsts.enable) {
   logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
 }
 
+// Add referrer policy to improve privacy
+app.use(
+  helmet.referrerPolicy({
+    policy: 'same-origin'
+  })
+)
+
 // Generate a random nonce per request, for CSP with inline scripts
 app.use(csp.addNonceToLocals)
author	Sheogorath	2018-02-12 01:29:58 +0100
committer	Sheogorath	2018-02-12 01:59:48 +0100
commit	714504618c19bbdb8e160a2fc8c9cda32ec4ce76 (patch)
tree	f4c3b59ac82599148883da0d35bb0a2ed491199e /app.js
parent	bb5e021f201c8ad83fe2736dee0faef123bfca50 (diff)