From 64aca0dc1be041459e4e8f70e031b44d3e6dbb73 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Wed, 24 Oct 2018 08:38:39 +1100
Subject: [PATCH] FIX: remove duplicate referrer policy

Rails already ships with strict-origin-when-cross-origin, no need
to also add no-referrer-when-downgrade

see: https://meta.discourse.org/t/harden-referrer-policy-header/100172
---
 config/nginx.sample.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/nginx.sample.conf b/config/nginx.sample.conf
index b1a59447186..f22dc22f8b8 100644
--- a/config/nginx.sample.conf
+++ b/config/nginx.sample.conf
@@ -261,7 +261,6 @@ server {
   }
 
   location @discourse {
-    add_header Referrer-Policy 'no-referrer-when-downgrade';
     proxy_set_header Host $http_host;
     proxy_set_header X-Request-Start "t=${msec}";
     proxy_set_header X-Real-IP $remote_addr;