I am trying to disable sending referrer information to other website's on a tomcat 9.x webserver. I searched the tomcat documentation but there was nothing to find about this specific referrer-policy.
Setting special (security) response headers is web application task. You can either create a servlet Filter that adds headers whichever you want:
public class MyFilter implements Filter
{
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
chain.doFilter(request, response);
HttpServletResponse httpServletResponse = ((HttpServletResponse) response);
httpServletResponse.addHeader("Referrer-Policy", "no-referrer");
}
// ...
}
Or if you are using Spring Security, you can use their header configuration feature:
Example XML configuration from Spring Security docs:
<http> <!-- ... --> <headers> <referrer-policy policy="same-origin" /> </headers> </http>
Example Java configuration from Spring Security docs:
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // ... .headers() .referrerPolicy(ReferrerPolicy.SAME_ORIGIN); } }