Referrer-Policy
Learn how Referrer-Policy controls referrer information and protects user privacy.
Referrer-Policy is a HTTP header that controls how much referrer information is sent along with requests. By configuring this header properly, you can protect user privacy while ensuring your website continues to function correctly with analytics and other services.
What is the HTTP Referrer?#
When a user navigates from one page to another (by clicking a link, submitting a form, or loading a resource), browsers include a Referer header in the request that tells the destination server which URL the user came from. Note the historical misspelling: the HTTP specification uses 'Referer' while the policy header uses the correct spelling 'Referrer-Policy'. This information is valuable for analytics, security logging, and content personalization.
- The Referer header contains the full URL of the page that initiated the request
- It is sent automatically by browsers for navigations, subresource loads, and form submissions
- Analytics services rely on referrer data to understand traffic sources
- The header can include query parameters, paths, and fragments that may contain sensitive data
Privacy and Security Risks#
Without a Referrer-Policy, browsers send the full URL as the referrer by default. This can expose sensitive information to third parties, especially when URLs contain user identifiers, search queries, authentication tokens, or internal path structures. The risk increases when navigating from HTTPS to HTTP, as sensitive URLs are sent in plaintext.
- URLs with session tokens or user IDs leak authentication data to external sites
- Search query parameters in URLs reveal what users are looking for
- Internal path structures can reveal application architecture to third parties
- HTTPS to HTTP navigations expose the full referrer URL in plaintext traffic
If a user is on https://yoursite.com/profile?user=12345&token=abc and clicks an external link, the full URL including the user ID and token is sent to the external site as the Referer header.
Understanding the Policy Values#
Referrer-Policy offers eight different values that control how much referrer information is shared. The right choice depends on your balance between analytics needs and privacy requirements.
- no-referrer: Never send any referrer information (maximum privacy)
- no-referrer-when-downgrade: Send referrer for same-protocol requests, omit for HTTPS to HTTP
- origin: Send only the origin (scheme + host + port), not the full URL path
- origin-when-cross-origin: Full URL for same-origin, origin only for cross-origin
- same-origin: Send full referrer for same-origin requests, nothing for cross-origin
- strict-origin: Send origin for same-protocol requests, nothing for downgrades
- strict-origin-when-cross-origin: Full URL same-origin, origin cross-origin, nothing for downgrades (recommended)
- unsafe-url: Always send the full URL (least secure, not recommended)
Implementation Guide#
The recommended value for most websites is strict-origin-when-cross-origin, which is also the default in modern browsers. This provides a good balance between analytics functionality and privacy protection.
Referrer-Policy can be set via HTTP header, HTML meta tag, or per-element attributes. The HTTP header applies site-wide and takes lowest precedence when combined with more specific element-level policies.
# Apache (.htaccess)
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Node.js / Express
app.use((req, res, next) => {
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
next();
});
# HTML meta tag alternative
<meta name="referrer" content="strict-origin-when-cross-origin">
# Per-link override
<a href="https://example.com" referrerpolicy="no-referrer">Link</a>Choosing the Right Policy#
Select your Referrer-Policy based on your application's specific needs. Consider what information your URLs contain and who should be able to see it.
- For sensitive applications (healthcare, finance): use no-referrer or same-origin
- For most websites: strict-origin-when-cross-origin provides the best balance
- For public content sites that need analytics: origin-when-cross-origin works well
- Never use unsafe-url on pages that may contain sensitive data in URLs
- Use per-element referrerpolicy attributes for specific links that need different behavior
Best Practices#
Follow these guidelines to implement Referrer-Policy effectively while maintaining the functionality your application needs.
- Always set an explicit Referrer-Policy rather than relying on browser defaults
- Avoid putting sensitive data (tokens, IDs, search terms) in URL parameters
- Use strict-origin-when-cross-origin as a sensible default for most sites
- Test that analytics and affiliate tracking still work after setting your policy
- Combine with proper URL design to minimize information in referrer headers
Implementation Examples#
No Referrer
Referrer-Policy: no-referrerNever send referrer information
Explanation: This provides maximum privacy but may break some analytics or anti-fraud systems that rely on referrer data.
Same Origin Only
Referrer-Policy: same-originSend referrer only for same-origin requests
Explanation: Referrer information is sent when navigating within your own site, but not when linking to external sites.
Strict Origin (Recommended)
Referrer-Policy: strict-origin-when-cross-originSend full URL for same-origin, origin only for cross-origin HTTPS, nothing for HTTP
Explanation: This balances privacy and functionality - it's the default in modern browsers and works well for most websites.
Key Directives#
no-referrer
Never send referrer information
Referrer-Policy: no-referrersame-origin
Send referrer only for same-origin requests
Referrer-Policy: same-originstrict-origin-when-cross-origin
Balanced policy for privacy and functionality
Referrer-Policy: strict-origin-when-cross-originReferences#
Test Your Referrer-Policy Configuration
Scan your site to check if Referrer-Policy is properly configured.