josevalim
commented
4 years ago Hi @StephaneRob! The system was designed so you can't hijack an account with just the token - which is good practice, as it can also leak in logs, exception tracking, etc - so the referer policy is not necessary. But probably something you want to add to your app globally anyway, so go for it. :)
What do you think about adding a referrer policy header on
GET /users/reset_password/:tokento prevent token leak via the referrer?