security
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.
Referrer-Policy: <policy>[, <policy>...] (browser uses first supported) Common directives / values
| Directive | Purpose |
|---|---|
| no-referrer | Never send the Referer header at all. |
| no-referrer-when-downgrade | Send full URL on same/upgraded protocols, nothing on HTTPS->HTTP. |
| same-origin | Send full URL to same-origin, nothing cross-origin. |
| origin | Send only scheme+host+port, never path or query. |
| strict-origin | Origin only, and nothing on HTTPS->HTTP downgrade. |
| origin-when-cross-origin | Full URL same-origin, origin-only cross-origin. |
| strict-origin-when-cross-origin | Modern browser default — full URL same-origin, origin cross-origin, nothing on downgrade. |
| unsafe-url | Always send full URL — leaks path and query everywhere; avoid. |
Examples
Referrer-Policy: strict-origin-when-cross-origin Modern default — a safe production baseline.
Referrer-Policy: no-referrer Maximum privacy — payment/auth pages that must not leak URLs.
Referrer-Policy: same-origin Analytics-friendly internally, silent to third parties.
Referrer-Policy: no-referrer, strict-origin-when-cross-origin Fallback list: browsers use the first policy they understand.
Gotcha
unsafe-url has been the source of many token leaks via Referer to third-party analytics — never use it. The token is legally 'Referer' (misspelled) in the header, but the policy header is 'Referrer'.
Related headers
Content-Security-Policy
Restricts which sources of scripts, styles, images, frames, and other resources a page may load, mitigating XSS and data injection. Policies are a semicolon-separated list of directives, each with a source list ('self', 'none', hostnames, schemes, nonces, or hashes).
Permissions-Policy
Allow-lists or blocks powerful browser features (camera, mic, geolocation, payment, etc.) at the document and per-iframe level. Replaces the older Feature-Policy header with a structured-fields syntax.
Strict-Transport-Security
HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.
Origin
Identifies the origin that caused the request without exposing path or query, sent on CORS requests and on all POST-like navigations. Central to CSRF defense and CORS policy decisions.
X-Frame-Options
Controls whether the page may be rendered inside a <frame>, <iframe>, <embed>, or <object>, defending against clickjacking. Superseded by CSP frame-ancestors but still widely honored for legacy clients.