depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add referrer policy

Browse source 
This commit adds a referrer policy to all requests.

The usage of `same-origin` allows HackMD to still interpret all requests
and this way not break anything. But it prevents 3rd party scripts,
pictures and more to get informations that may lead to not secured note.

It has to be mentioned that this maybe breaks some features of the
Google Analytics embedding. This has to be tested.

Fixes #724

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-02-12 01:29:58 +01:00
parent bb5e021f20
commit 714504618c
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
app.js
View file

@ -110,6 +110,13 @@ if (config.hsts.enable) {
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
}
// Add referrer policy to improve privacy
app.use(
helmet.referrerPolicy({
policy: 'same-origin'
})
)
// Generate a random nonce per request, for CSP with inline scripts
app.use(csp.addNonceToLocals)