I was researching on how to customize the Referrer-Policy header and came across a previous feature request Harden Referrer-Policy Header. That didn’t really address allowing the discourse administrator to customize it though. The result of that ticket was that duplicate header was dropped from the nginx config and is now being handle in rails.
I think this feature would be useful for installations that want more stringent control of that header and aligns nicely with the recent CSP additions added to the GUI. Or maybe disable it in Rails and then allow over-ride in nginx so it’s easier for administrators to modify without requiring someone to wire up GUI changes?
So if anyone else is reading this… I ended up having to do something like this in my config. It looks like the duplicate header was actually in my container still. I’m kind of perplexed why its still there but I didn’t have time to dig. Was easier to just remove it.