Referrer-Policy (Referrer-Policy)
Quick Reference
| Policy Value | Sends Referrer? | When? |
|---|---|---|
| no-referrer | Never | - |
| same-origin | Same origin only | Same-origin requests |
| strict-origin | Origin only | HTTPS to HTTPS |
| strict-origin-when-cross-origin | Full URL same-origin, origin cross-origin | Recommended default |
| no-referrer-when-downgrade | Full URL except HTTPS to HTTP | Browser default |
Why Referrer-Policy Matters
The HTTP Referer header is sent by default with most navigation and resource requests. If your site has URLs like example.com/dashboard/user/12345, the full URL is sent to any external link the user clicks or any third-party resource loaded on the page. This leaks internal URL structures and potentially user-specific information.
Setting Referrer-Policy: strict-origin-when-cross-origin (the recommended value) sends only the origin (example.com) when navigating to other sites, not the full URL path. This preserves referrer information for your own analytics (same-origin requests still get the full referrer) while preventing information leakage to third parties.
For sites handling sensitive data, Referrer-Policy: no-referrer or Referrer-Policy: same-origin provides the strictest control by sending no referrer to external sites at all. The tradeoff is that external sites cannot see where their traffic comes from, which may affect analytics or affiliate tracking.
How to Test for Referrer-Policy
A security audit checks the Referrer-Policy header. The recommended value is "strict-origin-when-cross-origin" or "no-referrer" for sensitive applications. Verify that your policy does not leak sensitive URL paths to third-party sites.