Nice list. You might want to consider setting a "Referrer-Policy"[1] for sites w... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		undecidabot on July 18, 2019 \| parent \| context \| favorite \| on: HTTP Security Headers – A Complete Guide Nice list. You might want to consider setting a "Referrer-Policy"[1] for sites with URLs that you'd prefer not to leak. Also, for "Set-Cookie", the relatively new "SameSite"[2] directive would be a good addition for most sites. Oh, and for CSP, check Google's evaluator out[3]. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re... [2] https://www.owasp.org/index.php/SameSite [3] https://csp-evaluator.withgoogle.com

will4274 on July 19, 2019 [–]

Referrer-Policy is nice, but browsers should just default to strict-origin-when-cross-origin and end the mess.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact