I’m trying to figure out how to remove “query” as a possible response_mode to avoid the risk of exposing information via the referrer HTTP header. Looking through the documentation and even the Keycloak source code I don’t see any obvious way to do it. Does anybody know if it is possible to restrict the allowed response mode in any way?
If not, is there some other recommended way to handle the possibility of data leaks? We already set no-referrer as our referrer policy but ideally would like to avoid the possibility of sensitive query parameters showing up at all.
Thanks!