diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index 5e431f81e..0eadf3cc8 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -4,6 +4,12 @@ map $http_upgrade $connection_upgrade {
     '' close;
 }
 
+# Allow apps to override this https://stackoverflow.com/questions/13583501/nginx-how-to-add-header-if-it-is-not-set
+map $upstream_http_referrer_policy $hrp {
+    default $upstream_http_referrer_policy;
+    "" "same-origin";
+}
+
 # http server
 server {
 <% if (endpoint === 'ip' || endpoint === 'setup') { -%>
@@ -101,7 +107,9 @@ server {
     proxy_hide_header X-Content-Type-Options;
     add_header X-Permitted-Cross-Domain-Policies "none";
     proxy_hide_header X-Permitted-Cross-Domain-Policies;
-    add_header Referrer-Policy "same-origin";
+
+    # See header handling from upstream on top of this file
+    add_header Referrer-Policy $hrp;
     proxy_hide_header Referrer-Policy;
 
     # workaround caching issue after /logout. if max-age is set, browser uses cache and user thinks they have not logged out