I was researching on how to customize the
Referrer-Policy header and came across a previous feature request Harden Referrer-Policy Header. That didn’t really address allowing the discourse administrator to customize it though. The result of that ticket was that duplicate header was dropped from the nginx config and is now being handle in rails.
I think this feature would be useful for installations that want more stringent control of that header and aligns nicely with the recent CSP additions added to the GUI. Or maybe disable it in Rails and then allow over-ride in nginx so it’s easier for administrators to modify without requiring someone to wire up GUI changes?