[fix] Fixed duplicated conflicting Referrer-Policy header

pandafy · nemesifier · commit 584da5356d6b · 2026-01-31T13:07:20.000-03:00
(cherry picked from commit 004c487)
diff --git a/images/common/openwisp/settings.py b/images/common/openwisp/settings.py
@@ -75,6 +75,8 @@
 if HTTP_SCHEME == "https":
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True
+    SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin"
+
 if HTTP_SCHEME == "http":
     DJANGO_LOCI_GEOCODE_STRICT_TEST = False
 
diff --git a/images/openwisp_nginx/openwisp.ssl.template.conf b/images/openwisp_nginx/openwisp.ssl.template.conf
@@ -21,7 +21,6 @@ server {
     # Additional Security Headers
     add_header X-XSS-Protection          "1; mode=block" always;
     add_header X-Content-Type-Options    "nosniff" always;
-    add_header Referrer-Policy           "same-site" always;
     add_header Permissions-Policy        "interest-cohort=()" always;
     add_header Strict-Transport-Security "max-age=31536000" always;
     add_header Content-Security-Policy   "default-src http: https: data: blob: 'unsafe-inline'; script-src 'unsafe-eval' https: 'unsafe-inline' 'self'; frame-ancestors 'self'; connect-src *.${ROOT_DOMAIN}:${NGINX_SSL_PORT} wss: 'self'; worker-src https://${DOMAIN} blob: 'self';" always;
