Referrer-Policy

Protects data from being leaked to 3rd party or insecure origins.

This HTTP response header determines how much information is put into the "Referer" header when making additional requests on the page. This should be used to limit the amount of information shared with 3rd party resources and to prevent personally identifying information in the URL from being leaked. Here are the potential values:

  • no-referrer: No referrer information is sent.
  • no-referrer-when-downgrade: Sends full referrer information unless the security protocol is being downgraded from https to http. This is the default setting for older browsers.
  • origin: Only sends the origin (https://example.com) as the referrer and strips out the path and query string.
  • origin-when-cross-origin: Same as "origin" except when the origin matches the request, full referrer information is sent.
  • same-origin: Same as "no-referrer", except when the origin matches the request, full referrer information is sent.
  • strict-origin: Same as "origin" except if the security protocol is different, don't send anything.
  • strict-origin-when-cross-origin: Sends full referrer information if the origin matches the request. If not, send only the origin unless the security protocol is being downgraded, in which case send nothing. This is the default setting for modern browsers.
  • unsafe-url: Sends full referrer information on all requests (not recommended).

We have a detailed article about additional security headers if you want to fully protect your users. For more information, please read the documentation on MDN Web Docs.