Skip to content

Referrer-Policy header

The Referrer-Policy HTTP header governs how much referrer information (sent via the Referer header) should be included with requests made by a browser.^[600-developer-tools-security-strict-transport-security.md] Its primary purpose is to manage user privacy by controlling the visibility of navigation origins and paths when users move between websites.^[600-developer-tools-security-strict-transport-security.md]

Functionality

The Referer header naturally identifies the address of the previous web page from which a link was followed, effectively recording where a user came from.^[600-developer-tools-security-strict-transport-security.md] While this data is useful for analytics and debugging, it can leak sensitive information. The Referrer-Policy header allows server administrators to restrict this data transmission based on security requirements or context (such as HTTPS connections).^[600-developer-tools-security-strict-transport-security.md]

Directives

The policy accepts several values to define the level of strictness applied to the referrer URL^[600-developer-tools-security-strict-transport-security.md]:

  • no-referrer: The Referer header is omitted entirely; no referrer information is sent.^[600-developer-tools-security-strict-transport-security.md]
  • origin: Only the scheme, host, and port (the origin) are sent. For example, navigating from https://example.com/a.html results in https://example.com.^[600-developer-tools-security-strict-transport-security.md]
  • strict-origin: Similar to origin, but only sent when navigating from HTTPS to HTTPS.^[600-developer-tools-security-strict-transport-security.md]
  • no-referrer-when-downgrade (default): This is the standard behavior where the full URL is sent as long as the protocol security level remains the same (e.g., HTTPS to HTTPS), similar to strict-origin.^[600-developer-tools-security-strict-transport-security.md]
  • origin-when-cross-origin: The full URL is sent for same-origin requests, but only the origin is sent for cross-origin requests.^[600-developer-tools-security-strict-transport-security.md]
  • same-origin: The full URL is sent for same-origin requests; no referrer is sent for cross-origin requests.^[600-developer-tools-security-strict-transport-security.md]
  • strict-origin-when-cross-origin: The full URL is sent only for same-origin requests over HTTPS. For cross-origin requests, only the origin is sent, and only if the protocol is secure (HTTPS->HTTPS).^[600-developer-tools-security-strict-transport-security.md]
  • unsafe-url: The full URL is sent regardless of protocol security.^[600-developer-tools-security-strict-transport-security.md]

Code Examples

Implementation typically involves setting the header in the server's response configuration^[600-developer-tools-security-strict-transport-security.md]:

res.setHeader('Referrer-Policy', 'no-referrer');
res.setHeader('Referrer-Policy', 'unsafe-url');

Sources

^[600-developer-tools-security-strict-transport-security.md]