From 608c58db3d709d03662898e3792ec31d865bc87b Mon Sep 17 00:00:00 2001 From: Jonas Bardino Date: Wed, 2 Jul 2025 09:39:49 +0200 Subject: [PATCH 1/2] Implement default Referrer-Policy in Apache as recommended by W3C and security scans. --- mig/install/apache-MiG-template.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mig/install/apache-MiG-template.conf b/mig/install/apache-MiG-template.conf index 5ad03f57d..c3f9a4a1b 100644 --- a/mig/install/apache-MiG-template.conf +++ b/mig/install/apache-MiG-template.conf @@ -165,6 +165,10 @@ Alias /status-events.json "__MIG_STATE__/wwwpublic/status-events.json" # recommended by W3C and security scans. Header always set Content-Security-Policy: "frame-ancestors 'self';" + # Set Referrer-Policy to prevent referrer info leaking to external sites as + # recommended by W3C and security scans. + Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Force IE browsers to exit compatibility mode even if enabled for all # intranet sites, which is the standard policy in some places. From a7aaea4f4e51f3148cd8bc659b605a98f8b1677e Mon Sep 17 00:00:00 2001 From: Jonas Bardino Date: Wed, 2 Jul 2025 09:58:48 +0200 Subject: [PATCH 2/2] Update fixtures to fit added apache conf template. --- tests/fixture/confs-stdlocal/MiG.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/fixture/confs-stdlocal/MiG.conf b/tests/fixture/confs-stdlocal/MiG.conf index 6eb4b6a98..774cede66 100644 --- a/tests/fixture/confs-stdlocal/MiG.conf +++ b/tests/fixture/confs-stdlocal/MiG.conf @@ -165,6 +165,10 @@ Alias /status-events.json "/home/mig/state/wwwpublic/status-events.json" # recommended by W3C and security scans. Header always set Content-Security-Policy: "frame-ancestors 'self';" + # Set Referrer-Policy to prevent referrer info leaking to external sites as + # recommended by W3C and security scans. + Header always set Referrer-Policy "strict-origin-when-cross-origin" + # Force IE browsers to exit compatibility mode even if enabled for all # intranet sites, which is the standard policy in some places.