diff --git a/app/controllers/concerns/web_app_controller_concern.rb b/app/controllers/concerns/web_app_controller_concern.rb
index 249bb20a25..1d8ee43507 100644
--- a/app/controllers/concerns/web_app_controller_concern.rb
+++ b/app/controllers/concerns/web_app_controller_concern.rb
@@ -7,6 +7,7 @@ module WebAppControllerConcern
     vary_by 'Accept, Accept-Language, Cookie'
 
     before_action :redirect_unauthenticated_to_permalinks!
+    before_action :set_referer_header
 
     content_security_policy do |p|
       policy = ContentSecurityPolicy.new
@@ -41,4 +42,10 @@ module WebAppControllerConcern
       end
     end
   end
+
+  protected
+
+  def set_referer_header
+    response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'origin' : 'same-origin')
+  end
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 4b1d327d93..6d4c30cd20 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -153,7 +153,7 @@ Rails.application.configure do
     'X-Frame-Options' => 'DENY',
     'X-Content-Type-Options' => 'nosniff',
     'X-XSS-Protection' => '0',
-    'Referrer-Policy' => ENV['ALLOW_REFERRER_ORIGIN'] == 'true' ? 'origin' : 'same-origin',
+    'Referrer-Policy' => 'same-origin',
   }
 
   # TODO: Remove once devise-two-factor data migration complete
diff --git a/config/settings.yml b/config/settings.yml
index 673a4c1be2..ba81fcb8c6 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -51,6 +51,7 @@ defaults: &defaults
   require_invite_text: false
   backups_retention_period: 7
   captcha_enabled: false
+  allow_referer_origin: false
 
 development:
   <<: *defaults