override Referrer-Policy response header

etc/nginx/sites-available/mastodon.conf

@@ -87,55 +87,55 @@ server {
   # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
   location = /sw.js {
     add_header Cache-Control "public, max-age=604800, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/assets/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/avatars/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/emoji/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/headers/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/packs/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/shortcuts/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/sounds/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
   location ~ ^/system/ {
     add_header Cache-Control "public, max-age=2419200, immutable";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
     try_files $uri =404;
   }
 
@@ -153,11 +153,10 @@ server {
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;
 
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
 
     # jake: added (debugging)
-    add_header Via $proxy_host;
+    add_header Via "1.1 $proxy_host" always;
-    add_header X-Got-Milk "2%";
 
     tcp_nodelay on;
   }
@@ -183,10 +182,14 @@ server {
     proxy_cache_valid 410 24h;
     proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
 
+    # jake: added (security)
+    proxy_hide_header Referrer-Policy;
+    add_header Referrer-Policy "strict-origin" always;
+
     # jake: added (debugging)
-    add_header Via $proxy_host;
+    add_header Via "1.1 $proxy_host" always;
-    add_header X-Cache-Status $upstream_cache_status;
+    add_header X-Cache-Status $upstream_cache_status always;
-    add_header X-Got-Milk "2%";
+    add_header X-Got-Milk "2%" always;
 
     tcp_nodelay on;
   }