Referrer Header is set in Reactive Web Applications by default, although doc says it is not.

[stefanocke]

Describe the bug

https://docs.spring.io/spring-security/reference/reactive/exploits/headers.html#webflux-headers-referrer says:

"By default, Spring Security does not add Referrer Policy headers."

But in fact, it does for reactive applications. And the default value is "no-referrer"
Note, that this is not the case for servlet stack.

To Reproduce

1. Create a Spring Boot App with webflux and security (as below)
2. Start it and open it in a browser (it will show login page)
3. In the network console of the browser, it shows "Referrer-Policy: no-referrer" in the HTTP repsonse hhaders.

Expected behavior
The behavior for reactive stack should be consistent with the documentation.
Preferrably, it should also be consistent with the behavior for servlet stack.

Sample
https://start.spring.io/#!type=maven-project&language=java&platformVersion=3.1.1&packaging=jar&jvmVersion=17&groupId=com.example&artifactId=referrerdemo&name=referrerdemo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.referrerdemo&dependencies=webflux,security

[marcusdacoregio]

Hi @stefanocke, thanks for the report.

It seems that the header has always been added by default, therefore we cannot change the behavior now since it is a breaking change and it is a better security default. In my opinion, the best approach here would be to update the documentation to reflect that Referrer-Policy: no-referrer is added, which is aligned with the recommendations [1][2].

In order to align the Servlet implementation, we can change the defaults to also include Referrer-Policy: no-referrer, but that won't happen until Spring Security 7.0 since it is a breaking change, I've created #13567 to track it.

[marcusdacoregio]

With that said, are you interested in submitting a PR that updates the documentation? Ideally, the PR should target the 5.8.x branch.