security

Referrer-Policy

Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.

Referrer-Policy: <policy>[, <policy>...]  (browser uses first supported)

Common directives / values

Directive Purpose
no-referrer Never send the Referer header at all.
no-referrer-when-downgrade Send full URL on same/upgraded protocols, nothing on HTTPS->HTTP.
same-origin Send full URL to same-origin, nothing cross-origin.
origin Send only scheme+host+port, never path or query.
strict-origin Origin only, and nothing on HTTPS->HTTP downgrade.
origin-when-cross-origin Full URL same-origin, origin-only cross-origin.
strict-origin-when-cross-origin Modern browser default — full URL same-origin, origin cross-origin, nothing on downgrade.
unsafe-url Always send full URL — leaks path and query everywhere; avoid.

Examples

Referrer-Policy: strict-origin-when-cross-origin

Modern default — a safe production baseline.

Referrer-Policy: no-referrer

Maximum privacy — payment/auth pages that must not leak URLs.

Referrer-Policy: same-origin

Analytics-friendly internally, silent to third parties.

Referrer-Policy: no-referrer, strict-origin-when-cross-origin

Fallback list: browsers use the first policy they understand.

Gotcha

unsafe-url has been the source of many token leaks via Referer to third-party analytics — never use it. The token is legally 'Referer' (misspelled) in the header, but the policy header is 'Referrer'.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors