fix(gatsby-plugin-netlify): Add Referrer-Policy to security headers #13452
Conversation
Add 'Referrer-Policy: same-origin' to SECURITY_HEADERS.
There was a problem hiding this comment.
This is a welcome addition and same-origin is a good default to have! Thank you so much @browniebroke and congratulations on your first contribution! 🥇
sidharthachatterjee
changed the title
|
Holy buckets, @browniebroke — we just merged your PR to Gatsby! 💪💜 Gatsby is built by awesome people like you. Let us say “thanks” in two ways:
If there’s anything we can do to help, please don’t hesitate to reach out to us: tweet at @gatsbyjs and we’ll come a-runnin’. Thanks again! |
|
Published in |
|
This is actually a breaking change for us and it took me a while to find this. We use a map image provider who doesn't use an API key but the referrer to regulate access. This stopped working for us, as it's not It's easy to fix by adjusting the gatsby-config: {
resolve: 'gatsby-plugin-netlify',
options: {
headers: {
'/*': [`Referrer-Policy: no-referrer-when-downgrade`],
},
},
},Should have checked the release notes more thoroughly before updating the package :) |
|
Turns out my fix is wrong, as it will create the header as:
I'll change it to this: {
resolve: 'gatsby-plugin-netlify',
options: {
mergeSecurityHeaders: false,
headers: {
'/*': [
`X-Frame-Options: DENY`,
`X-XSS-Protection: 1; mode=block`,
`X-Content-Type-Options: nosniff`,
`Referrer-Policy: no-referrer-when-downgrade`,
],
},
},
},``` |
|
This broke API access for me as well that relied on referer headers. Not a good default, would suggest |
Description
Add 'Referrer-Policy: same-origin' to SECURITY_HEADERS.
This is one of the headers checked by securityheaders.com and currently it's not included by Gatsby by default. I was adding it to a few of my projects, but I realised it could probably be added upstream, so here it is.
Looking around, it seems that 'same-origin' is a good default, but I don't feel strongly about it. Would this be welcome?
Related Issues