diff --git a/mig/install/apache-MiG-template.conf b/mig/install/apache-MiG-template.conf
index 5ad03f57d..c3f9a4a1b 100644
--- a/mig/install/apache-MiG-template.conf
+++ b/mig/install/apache-MiG-template.conf
@@ -165,6 +165,10 @@ Alias /status-events.json "__MIG_STATE__/wwwpublic/status-events.json"
     # recommended by W3C and security scans.
     Header always set Content-Security-Policy: "frame-ancestors 'self';"
 
+    # Set Referrer-Policy to prevent referrer info leaking to external sites as
+    # recommended by W3C and security scans.
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
     # Force IE browsers to exit compatibility mode even if enabled for all 
     # intranet sites, which is the standard policy in some places.
     <FilesMatch "(^$|\.(htm|html)$)">
diff --git a/tests/fixture/confs-stdlocal/MiG.conf b/tests/fixture/confs-stdlocal/MiG.conf
index 6eb4b6a98..774cede66 100644
--- a/tests/fixture/confs-stdlocal/MiG.conf
+++ b/tests/fixture/confs-stdlocal/MiG.conf
@@ -165,6 +165,10 @@ Alias /status-events.json "/home/mig/state/wwwpublic/status-events.json"
     # recommended by W3C and security scans.
     Header always set Content-Security-Policy: "frame-ancestors 'self';"
 
+    # Set Referrer-Policy to prevent referrer info leaking to external sites as
+    # recommended by W3C and security scans.
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
     # Force IE browsers to exit compatibility mode even if enabled for all 
     # intranet sites, which is the standard policy in some places.
     <FilesMatch "(^$|\.(htm|html)$)">