update security headers following Moz recom

Author: jekuer

.htaccess

@@ -5,7 +5,7 @@
   Header set X-XSS-Protection "1; mode=block"
   Header set X-Content-Type-Options "nosniff"
   Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
-  Header set Referrer-Policy "no-referrer-when-downgrade"
+  Header set Referrer-Policy "strict-origin-when-cross-origin"
   # Put your domain here (or your wildcard *, if you experience any problems)
   Header set Access-Control-Allow-Origin "https://YOURDOMAIN.com/"
   # Adjust to your needs. GET should be enough for simple landingpages. Sometimes, you might need 'GET, POST'.

config.php

@@ -47,7 +47,7 @@
 
 // Base URL of your microsite.
 $the_page_url = 'https://YOURDOMAIN.com/';
-// $the_page_url = '/'; (use this for localhost dev/tests via Docker)
+// $the_page_url = '/'; // (use this for localhost dev/tests via Docker)
 
 // PWA settings.
 $the_webapp_name = 'Put the name for the webapp here'; // Mind manifest.json too.

nginx_conf/nginx.conf

@@ -106,7 +106,7 @@
     add_header X-XSS-Protection '1; mode=block';
     add_header X-Content-Type-Options nosniff;
     add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
-    add_header Referrer-Policy no-referrer-when-downgrade;
+    add_header Referrer-Policy strict-origin-when-cross-origin;
     # Uses your domain from the server_name above here (or your wildcard *, if you experience any problems)
     add_header Access-Control-Allow-Origin 'https://'$server_name;
     # Adjust to your needs. GET should be enough for simple landingpages. Sometimes, you might need 'GET, POST'.

templates/header.php

@@ -36,7 +36,7 @@
     }
     ?>
 
-    <!-- Preload fonts (optional, only .woff2 recommended) -->
+    <!-- Preload fonts (optional, only .woff2 and only the ones you use above the fold recommended) -->
     <link rel="preload" href="./assets/fonts/open-sans-v17-latin-regular.woff2" as="font" type="font/woff2" crossorigin>
     <link rel="preload" href="./assets/fonts/open-sans-v17-latin-600.woff2" as="font" type="font/woff2" crossorigin>
     <link rel="preload" href="./assets/fonts/open-sans-v17-latin-800.woff2" as="font" type="font/woff2" crossorigin>

templates/php_security_headers.php

@@ -6,7 +6,7 @@
 header("X-XSS-Protection: 1; mode=block");
 header("X-Content-Type-Options: nosniff");
 header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
-header("Referrer-Policy: no-referrer-when-downgrade");
+header("Referrer-Policy: strict-origin-when-cross-origin");
 header("Access-Control-Allow-Origin: ". $the_page_url);
 // Adjust to your needs. GET should be enough for simple landingpages. Sometimes, you might need 'GET, POST'.
 header("Access-Control-Allow-Methods: GET");