Add Referrer-Policy header audit?

[jbmoelker]

The Referrer-Policy header is new and arguably a good practice. It accepts a various different values: "", "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", "unsafe-url". Alternatively a noreferrer value can also be set using a <link> or <a> tag. So the header is not strictly needed.

Do we consider it good practice to have the header? What values do we grade as good?

See A new security header: Referrer Policy by Scott Helme.