From 0c43dafe41151b46fad0ba5808f3846aa8bd32da Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@beeznest.org>
Date: Thu, 8 Jun 2017 12:04:31 -0500
Subject: [PATCH] Add HTTP headers security suggestions for Referrer-Policy and
 Content-Security-Policy - refs #2013

---
 main/install/configuration.dist.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index 1e8d7fd53e..324f9fe899 100755
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -413,7 +413,8 @@ $_configuration['agenda_legend'] = [
 // Content Security Policy is an effective measure to protect your site from
 // XSS attacks. By whitelisting sources of approved content, you can prevent
 // the browser from loading malicious assets.
-//$_configuration['security_content_policy'] = '';
+// The provided default is an *example*, please customize.
+//$_configuration['security_content_policy'] = 'default-src \'self\'; script-src *://*.google.com:*';
 //
 // HTTP Public Key Pinning protects your site from MiTM attacks using rogue
 // X.509 certificates. By whitelisting only the identities that the browser
@@ -439,7 +440,7 @@ $_configuration['agenda_legend'] = [
 //$_configuration['security_x_content_type_options'] = 'X-Content-Type-Options: nosniff';
 //
 // Referrer Policy is a new header that allows a site to control how much
-// information the browser includes with navigations away from a document
+// information the browser includes with navigation away from a document
 // and should be set by all sites.
-//$_configuration['security_referrer_policy'] = '';
+//$_configuration['security_referrer_policy'] = 'origin-when-cross-origin';
 // HTTP headers security section ends here
\ No newline at end of file