Merge branch 'main' into github-ae-release-notes

2025-12-23 21:07:12 -05:00 · 2021-05-28 15:17:35 -04:00
parent 2bb50cbf90 c046451c18
commit 4008de0e4f
2 changed files with 21 additions and 6 deletions
--- a/middleware/index.js
+++ b/middleware/index.js
@@ -36,7 +36,13 @@ module.exports = function (app) {

  // *** Security ***
  app.use(require('./cors'))
-  app.use(require('helmet')())
+  app.use(require('helmet')({
+    // Override referrerPolicy to match the browser's default: "strict-origin-when-cross-origin".
+    // Helmet now defaults to "no-referrer", which is a problem for our archived assets proxying.
+    referrerPolicy: {
+      policy: 'strict-origin-when-cross-origin'
+    }
+  }))
  app.use(require('./csp')) // Must come after helmet
  app.use(require('./cookie-parser')) // Must come before csrf
  app.use(express.json()) // Must come before csrf