Hi,

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 4 Nov 2019, at 18:52, peter.mueller(a)ipfire.org wrote:
> 
> By default, even modern browsers sent the URL of ther originating
> site to another one when accessing hyperlinks. This is an information
> leak and may expose internal details (such as FQDN or IP address)
> of an IPFire installation to a third party.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
> config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
> 2 files changed, 2 insertions(+)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index 2009184bb..dc1151110 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -22,6 +22,7 @@
> 
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
> +    Header always set Referrer-Policy strict-origin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index b70994404..d95fa264f 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -8,6 +8,7 @@
> 
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
> +    Header always set Referrer-Policy strict-origin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> -- 
> 2.16.4