How can I add Referrer-Policy header with .htaccess?
Before add Referrer-Policy header with htaccess,
First, you must activate rewrite module.
First, you must activate rewrite module.
Ctrl+v this code in terminal.
sudo a2enmod rewrite
If you finished the rewrite activating, You can use htaccess in apache.
Let's add Referrer-Policy header in apache with htaccess!
Header always set Referrer-Policy "same-origin"
Write in htaccess.
The additional option is
no-referrerno-referrer-when-downgrade(default)originorigin-when-cross-originsame-originstrict-originstrict-origin-when-cross-originunsafe-url
------------------------------------------------------------
no-referrer- The
Refererheader will be omitted entirely. No referrer information is sent along with requests. no-referrer-when-downgrade(default)- This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring
of the URL are sent as a referrer when the protocol security level
stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but
isn't sent to less secure destinations (HTTPS→HTTP).
There is effort from browsers in moving to a stricter default value, namely
strict-origin-when-cross-origin(see https://github.com/whatwg/fetch/pull/952), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy. origin- Only send the origin of the document as the referrer.
For example, a document athttps://example.com/page.htmlwill send the referrerhttps://example.com/. origin-when-cross-origin- Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
same-origin- A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
strict-origin- Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin- Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
unsafe-url- Send the origin, path, and query string when performing any request, regardless of security.
This explaination is mozilla's explaination
------------------------------------------------------------
Thanks for watching and write the commet to rewrite request or question
0 Comments