Free Tool

Free Referrer-Policy Checker

Check which Referrer-Policy a website sends and whether it leaks sensitive URLs to other sites.

Free and instant. No account or signup needed.

What this Referrer-Policy checker tests

Every time a visitor follows a link off your site, the browser can attach a Referer header that tells the destination which page the visitor came from. By default that header can include the full URL, not just the domain. The Referrer-Policy header is how a site decides how much of that URL gets shared, and this checker fetches the live response from the URL you enter so you can see the exact policy a site sends.

The risk is real because URLs are not always harmless. Plenty of sites put sensitive values in the query string, things like password reset tokens, magic login links, search terms, or account identifiers. With a leaky policy, all of that travels to whatever site the visitor clicks through to, and to the third party scripts and ad networks loaded on the page they land on. The worst offender is unsafe-url, which sends the complete URL including path and query to every destination, even when moving from HTTPS to HTTP.

The recommended policy and how to set it

For almost every site the right value is strict-origin-when-cross-origin. It keeps the full URL for navigations within your own origin, so your analytics still work, but it strips the path and query down to just the origin when a request crosses to another site, and it sends nothing at all on an HTTPS to HTTP downgrade. That balance protects sensitive URLs without breaking same origin tooling.

Setting it takes one header. In Nginx, add add_header Referrer-Policy "strict-origin-when-cross-origin" always; to your server block. In Apache, use Header set Referrer-Policy "strict-origin-when-cross-origin". To go deeper on how each policy value behaves, read the Referrer Policy guide.

Frequently asked questions

What is a Referrer-Policy checker?

A Referrer-Policy checker reads the Referrer-Policy header a website returns and tells you how much of the referring URL the site shares when a visitor clicks through to another origin. SiteSecurityScore checks this live by scanning the URL you enter.

Why does the Referrer header matter for privacy?

When someone follows a link off your site, the browser can send the full URL of the page they came from in the Referer header. If that URL contains a session token, password reset code, or other sensitive value in its query string, a weak policy hands it to the destination site and any third party scripts it loads.

What is the recommended Referrer-Policy value?

strict-origin-when-cross-origin is the recommended value for most sites. It sends the full URL on same origin navigations, sends only the origin on cross origin requests, and sends nothing when moving from HTTPS to HTTP. That keeps internal analytics useful while preventing path and query leakage to other sites.

Is unsafe-url ever a good choice?

Almost never. unsafe-url sends the complete URL, including path and query string, to every destination on every request, even across origins and even when downgrading from HTTPS to HTTP. It is the leakiest option and should be avoided on any site that puts sensitive data in its URLs.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the Referrer-Policy header, and reports what it found in seconds. No account or signup is required.

Related tools

Security Headers CheckerReferrer Policy guideAll comparisons

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan