Describe the bug
https://docs.spring.io/spring-security/reference/reactive/exploits/headers.html#webflux-headers-referrer says:
"By default, Spring Security does not add Referrer Policy headers."
But in fact, it does for reactive applications. And the default value is "no-referrer" Note, that this is not the case for servlet stack.
To Reproduce 1. Create a Spring Boot App with webflux and security (as below) 2. Start it and open it in a browser (it will show login page) 3. In the network console of the browser, it shows "Referrer-Policy: no-referrer" in the HTTP repsonse hhaders.
Expected behavior The behavior for reactive stack should be consistent with the documentation. Preferrably, it should also be consistent with the behavior for servlet stack.
Sample https://start.spring.io/#!type=maven-project&language=java&platformVersion=3.1.1&packaging=jar&jvmVersion=17&groupId=com.example&artifactId=referrerdemo&name=referrerdemo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.referrerdemo&dependencies=webflux,security
Comment From: marcusdacoregio
Hi @stefanocke, thanks for the report.
It seems that the header has always been added by default, therefore we cannot change the behavior now since it is a breaking change and it is a better security default. In my opinion, the best approach here would be to update the documentation to reflect that Referrer-Policy: no-referrer is added, which is aligned with the recommendations [1][2].
In order to align the Servlet implementation, we can change the defaults to also include Referrer-Policy: no-referrer, but that won't happen until Spring Security 7.0 since it is a breaking change, I've created https://github.com/spring-projects/spring-security/issues/13567 to track it.
Comment From: marcusdacoregio
With that said, are you interested in submitting a PR that updates the documentation? Ideally, the PR should target the 5.8.x branch.