secure_headers.rb in aaf-secure_headers-3.0.0

- old
+ new

@@ -7,21 +7,19 @@
   module SecureHeaders
     ::SecureHeaders::Configuration.default do |config|
       config.cookies = {
         secure: true,
         httponly: true,
-        samesite: {
-          lax: false
-        }
+        samesite: ::SecureHeaders::OPT_OUT
       }
 
       config.hsts = "max-age=#{6.months.to_i}; includeSubdomains; preload"
       config.x_frame_options = 'DENY'
       config.x_content_type_options = 'nosniff'
       config.x_xss_protection = '1; mode=block'
       config.x_download_options = 'noopen'
       config.x_permitted_cross_domain_policies = 'none'
-      config.referrer_policy = 'no-referrer'
+      config.referrer_policy = 'strict-origin'
 
       config.csp = {
         preserve_schemes: false,
         block_all_mixed_content: true,
         upgrade_insecure_requests: true,