The Referrer-Policy
header is a security header that controls how much information about the referring URL (referrer) is included in the HTTP request headers when a user navigates from one page to another.
The referrer is the URL of the web page that the user was on before navigating to the current page. The Referrer-Policy
header allows website administrators to control whether this information is sent and, if so, to what extent.
Purpose of Referrer-Policy
The primary purpose of the Referrer-Policy
header is to enhance user privacy and security by controlling the information shared in the referrer header. By adjusting the referrer policy, administrators can influence the amount of information disclosed to external websites when users click on links or load resources.
How Referrer-Policy Works
The Referrer-Policy
header supports 8 directives that define the behavior regarding the inclusion of referrer information.
The common directives include:
no-referrer | Sends no referrer information with the request. This is the most privacy-preserving option. |
no-referrer-when-downgrade | Sends no referrer information when navigating from HTTPS to HTTP, but sends the full referrer on same-origin or cross-origin HTTPS-to-HTTPS requests. |
origin | Sends the origin (protocol, host, and port) of the referrer, but not the full path. |
origin-when-cross-origin | Sends the full path when navigating within the same origin but only sends the origin when navigating to a different origin. |
same-origin | Sends the full path when navigating within the same origin but sends no referrer information when navigating to a different origin. |
strict-origin | Sends the origin (protocol, host, and port) when navigating within the same origin but sends no referrer information when navigating to a different origin. |
strict-origin-when-cross-origin | Sends the full path when navigating within the same origin but sends only the origin when navigating to a different origin. |
unsafe-url | Sends the full referrer (including path) in all cases, even when navigating from HTTPS to HTTP or across origins. |
This example sets the referrer policy to not send any referrer information with the request.
Referrer-Policy: no-referrer
Configure Referrer-Policy via Web Servers
More detailed instructions on how to configure security headers available here. Below assumes you know where to configure the headers relative to web server type:
Apache
<IfModule mod_headers.c>
Header always set Referrer-Policy "no-referrer"
</IfModule>
NGINX
add_header Referrer-Policy "no-referrer";