Add ReferrerPolicy to Secure middleware

echo.go

@@ -222,6 +222,7 @@ const (
 	HeaderContentSecurityPolicy           = "Content-Security-Policy"
 	HeaderContentSecurityPolicyReportOnly = "Content-Security-Policy-Report-Only"
 	HeaderXCSRFToken                      = "X-CSRF-Token"
+	HeaderReferrerPolicy                  = "Referrer-Policy"
 )
 
 const (

middleware/secure.go

@@ -66,6 +66,11 @@ type (
 		// maintained by Chrome (and used by Firefox and Safari): https://hstspreload.org/
 		// Optional.  Default value false.
 		HSTSPreloadEnabled bool `yaml:"hsts_preload_enabled"`
+
+		// ReferrerPolicy sets the `Referrer-Policy` header providing security against
+		// leaking potentially sensitive request paths to third parties.
+		// Optional. Default value "".
+		ReferrerPolicy string `yaml:"referrer_policy"`
 	}
 )
 
@@ -131,6 +136,9 @@ func SecureWithConfig(config SecureConfig) echo.MiddlewareFunc {
 					res.Header().Set(echo.HeaderContentSecurityPolicy, config.ContentSecurityPolicy)
 				}
 			}
+			if config.ReferrerPolicy != "" {
+				res.Header().Set(echo.HeaderReferrerPolicy, config.ReferrerPolicy)
+			}
 			return next(c)
 		}
 	}

middleware/secure_test.go

@@ -25,6 +25,7 @@ func TestSecure(t *testing.T) {
 	assert.Equal(t, "SAMEORIGIN", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+	assert.Equal(t, "", rec.Header().Get(echo.HeaderReferrerPolicy))
 
 	// Custom
 	req.Header.Set(echo.HeaderXForwardedProto, "https")
@@ -36,13 +37,15 @@ func TestSecure(t *testing.T) {
 		XFrameOptions:         "",
 		HSTSMaxAge:            3600,
 		ContentSecurityPolicy: "default-src 'self'",
+		ReferrerPolicy:        "origin",
 	})(h)(c)
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicy))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
+	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
 
 	// Custom with CSPReportOnly flag
 	req.Header.Set(echo.HeaderXForwardedProto, "https")
@@ -55,13 +58,15 @@ func TestSecure(t *testing.T) {
 		HSTSMaxAge:            3600,
 		ContentSecurityPolicy: "default-src 'self'",
 		CSPReportOnly:         true,
+		ReferrerPolicy:        "origin",
 	})(h)(c)
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXXSSProtection))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXContentTypeOptions))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderXFrameOptions))
 	assert.Equal(t, "max-age=3600; includeSubdomains", rec.Header().Get(echo.HeaderStrictTransportSecurity))
 	assert.Equal(t, "default-src 'self'", rec.Header().Get(echo.HeaderContentSecurityPolicyReportOnly))
 	assert.Equal(t, "", rec.Header().Get(echo.HeaderContentSecurityPolicy))
+	assert.Equal(t, "origin", rec.Header().Get(echo.HeaderReferrerPolicy))
 
 	// Custom, with preload option enabled
 	req.Header.Set(echo.HeaderXForwardedProto, "https")