Stricter default for Referrer Policy

Ref: h5bp/server-configs-apache#204

h5bp/security/referrer-policy.conf

@@ -2,15 +2,20 @@
 # | Referrer Policy                                                    |
 # ----------------------------------------------------------------------
 
-# A web application uses HTTPS and a URL-based session identifier.
-# The web application might wish to link to HTTPS resources on other web
-# sites without leaking the user's session identifier in the URL.
+# Set a strict Referrer Policy to mitigate information leakage.
 #
-# This can be done by setting a `Referrer Policy` which whitelists trusted
-# sources of content for your website.
+# (1) The `Referrer-Policy` header is included in responses for resources
+#     that are able to request (or navigate to) other resources.
 #
-# To check your referrer policy, you can use an online service such as:
-# https://securityheaders.io/.
+#     This includes the commonly used resource types:
+#     HTML, CSS, XML/SVG, PDF documents, scripts and workers.
+#
+# To prevent referrer leakage entirely, specify the `no-referrer` value
+# instead. Note that the effect could impact analytics metrics negatively.
+#
+# To check your Referrer Policy, you can use an online service, such as:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
 #
 # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

nginx.conf

@@ -118,7 +118,7 @@ http {
   # Add Referrer-Policy for HTML documents.
   # h5bp/security/referrer-policy.conf.conf
   map $sent_http_content_type $referrer_policy {
-    ~*text/html "no-referrer-when-downgrade";
+    ~*text/html "strict-origin-when-cross-origin";
   }
 
   # Add X-UA-Compatible for HTML documents.