Set Referrer-Policy header
uffd does not rely on the Referer header at all, so we should disable it altogether (i.e. set Referrer-Policy: no-referrer
). Since this is application-specfic and not deployment-specific, the application should IMHO set this policy (in contrast to HSTS).