This post is also available in:
Français (French)
The HTTP Referrer-Policy header allows you to decide what referrer URL information the browser sends when navigating between your pages or to external sites. By adjusting this policy, you limit sensitive data leaks, enhance user privacy, and prevent certain attack scenarios.
What is the Referrer Policy Header?
Specified by the W3C, Referrer-Policy offers several directives to control the Referer field transmitted in HTTP requests:
- No referrer sent (no-referrer)
- Full referrer only in same-origin context (no-referrer-when-downgrade, same-origin)
- Partial referrer transmission (origin, origin-when-cross-origin)
- Strict origin transmission and in all secure contexts (strict-origin, strict-origin-when-cross-origin)
- Send full URL even to HTTP (unsafe-url – avoid)
Why Implement Referrer-Policy?
- Privacy Protection: Do not transmit sensitive paths or parameters to third parties.
- Information Leakage Limitation: Reduce the exfiltration of tokens, identifiers, or session data in URLs.
- Security Enhancement: Coupled with HTTPS, prevents request downgrades and maintains a minimal referrer on insecure connections.
- Improved SEO Reputation: Some engines value privacy protection and good HTTP hygiene.
Possible Referrer-Policy Values
- no-referrer: Never sends the referrer.
- no-referrer-when-downgrade (default in some browsers): Sends the referrer unless you downgrade from HTTPS to HTTP.
- same-origin: Referrer only for same-origin requests.
- origin: Sends only the scheme + host + port, without the path or query-strings.
- origin-when-cross-origin: Full URL in same-origin, origin in cross-origin.
- strict-origin: Origin only if secure request (HTTPS→HTTPS).
- strict-origin-when-cross-origin: Full URL in secure same-origin, origin in secure cross-origin, nothing on downgrade.
- unsafe-url: Always sends the full URL (not recommended).
Header Example
Referrer-Policy: strict-origin-when-cross-origin
Deployment Examples
Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache (.Htaccess)
<IfModule mod_headers.c> Header always set Referrer-Policy "strict-origin-when-cross-origin" </IfModule>
WordPress (Functions.Php)
add_action('send_headers', function(){
header('Referrer-Policy: strict-origin-when-cross-origin');
});
Our Implementation Services
At Dimension Internet, we support you from A to Z:
- Audit of your URL paths and parameters,
- Definition of the most suitable Referrer-Policy for your needs,
- Configuration on your servers (Nginx, Apache, CDN),
- Tests in report-only then transition to production,
- Ongoing monitoring and maintenance for any evolution of your infrastructure.
Conclusion
The Referrer-Policy header is a simple and powerful lever to control user privacy and limit sensitive data leakage. Adopt a strict policy today and gain confidence, compliance, and SEO performance. Dimension Internet helps you every step of the way for a flawless deployment.
