Referrer-Policy Header Explained
Referrer-Policy is an HTTP response header that controls how much referrer information is sent when a user navigates away from your site. Setting it to strict-origin-when-cross-origin or no-referrer prevents sensitive URL paths, query parameters, and internal page structures from leaking to third-party sites.
Recommended Value
Referrer-Policy: strict-origin-when-cross-originWhat Each Directive Does
| Directive | Purpose |
|---|---|
no-referrer | Never send any referrer information |
strict-origin-when-cross-origin | Send full URL for same-origin, only origin for cross-origin HTTPS, nothing for HTTPS→HTTP |
same-origin | Only send referrer for same-origin requests, nothing for cross-origin |
origin | Only send the origin (scheme+host+port), never the path or query string |
What Happens Without This Header
Without Referrer-Policy, the full URL (including path, query parameters, and fragments) is sent as the Referer header when users click outbound links. This can leak sensitive data like session tokens in URLs, internal admin paths, search queries, or user-specific page URLs to third-party analytics, ads, or linked sites.
How to Implement
# Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Express.js
app.use((req, res, next) => {
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
next();
});Testing and Report-Only
Referrer-Policy has no report-only mode. To test, check your outbound link behavior using browser DevTools Network tab — inspect the Referer header on cross-origin requests.
Related Questions
Scan your system prompt with LochBot — free, client-side, no data sent anywhere.