What is Referrer-Policy and Should You Care?

The short version

When you click a link or your page loads a resource from another site, your browser sends a Referer header that tells the destination where the request came from. The Referrer-Policy header controls how much of that URL information gets shared.

This matters for privacy and security. Without a Referrer-Policy, your full URL (including query parameters that might contain tokens, search queries, or user IDs) could leak to third-party sites.

Why it matters

Consider this URL:

https://yourapp.com/dashboard?user=12345&token=abc-secret

If someone on this page clicks a link to an external site, or if the page loads an image from a third-party CDN, the browser sends:

Referer: https://yourapp.com/dashboard?user=12345&token=abc-secret

The external site now has your user's ID and token. That's a data leak. The W3C Referrer Policy specification was created to address exactly this.

The options

The MDN Referrer-Policy documentation lists all the values:

no-referrer

Never send the Referer header. Maximum privacy, but third-party services (analytics, affiliates) won't know where traffic came from.

origin

Send only the origin (scheme + domain), not the full path:

Referer: https://yourapp.com

same-origin

Send the full URL for same-origin requests, nothing for cross-origin.

strict-origin

Send just the origin for cross-origin requests over HTTPS. Send nothing when navigating from HTTPS to HTTP.

strict-origin-when-cross-origin (recommended)

This is the sweet spot:

• Same-origin: Sends the full URL (useful for your own analytics)
• Cross-origin HTTPS to HTTPS: Sends just the origin
• HTTPS to HTTP: Sends nothing

This is the default in most modern browsers.

no-referrer-when-downgrade

Send the full URL for HTTPS-to-HTTPS requests, nothing for HTTPS-to-HTTP. This was the old browser default.

unsafe-url

Always send the full URL, even cross-origin. Don't use this. It leaks everything.

How to set it

HTTP header (recommended):

Referrer-Policy: strict-origin-when-cross-origin

HTML meta tag (alternative):

<meta name="referrer" content="strict-origin-when-cross-origin" />

Per-link (override for specific links):

<a href="https://external.com" referrerpolicy="no-referrer">External link</a>

You can set it in your server config, CDN settings, or framework middleware, same as other security headers.

Common scenarios

You have sensitive data in URLs. If your URLs contain tokens, session IDs, or user data, set strict-origin-when-cross-origin at minimum. Better yet, stop putting sensitive data in URLs.

You run affiliate or referral programs. Some referral programs rely on the Referer header to attribute traffic. Using no-referrer would break attribution. strict-origin-when-cross-origin is a good compromise: the destination knows the user came from your domain but doesn't see the full URL.

You embed third-party resources. Every image, script, or font loaded from a third-party CDN sends a Referer header. If your page URL contains sensitive information, that information leaks to every third-party resource you load.

What most sites should do

Set this header and move on:

Referrer-Policy: strict-origin-when-cross-origin

It's the browser default anyway, but explicitly setting it makes your policy clear and protects against any edge cases where the browser might fall back to a less restrictive behavior.

If you're extra privacy-conscious, use no-referrer. But for most sites, strict-origin-when-cross-origin is the right balance between privacy and functionality.

Check your site

Want to know if your site has this issue? Scan it now and find out in 60 seconds.