← Back to Scanner

Referrer-Policy

Medium importance

What is Referrer-Policy?

When a user navigates from your site to another — for example, clicks a link, loads something from an external resource, or submits a form — the browser automatically sends the address of the page the user came from. This is called the referrer. By default, the browser sends your full URL, including the path and query parameters.

At first glance, it doesn't seem like a big deal — your URL gets sent. But the problem is that URLs often contain sensitive data — such as user IDs, authorization tokens, search queries, and internal application paths. If you don't set the Referrer-Policy header, all of this information will leak to every external site and resource your page links to.

The Referrer-Policy header lets you control which part of the URL is sent during navigation. This means you can send only the domain, the full address only within your own site, or not send the referrer at all. It's a simple but effective way to prevent data leaking through URLs.

How to enable Referrer-Policy?

To control what data your site sends during navigation, add the following header to your web server configuration. Choose the example below depending on which server you use.

Nginx

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache

Header set Referrer-Policy "strict-origin-when-cross-origin"

Available values

  • strict-origin-when-cross-origin (recommended) — when navigating to another site, only the domain is sent (e.g., https://example.com), while the full URL is only sent within your own site. When navigating from HTTPS to HTTP, no referrer is sent at all.
  • no-referrer — the referrer is never sent anywhere. Maximum privacy, but you lose navigation data in your analytics. Use this setting based on your specific situation.
  • same-origin — the referrer is only sent for navigations within your own site. For external navigations — nothing is sent.
  • origin — only the domain is sent, without the path or parameters.
  • unsafe-url — the full URL is always sent everywhere, including navigations to HTTP. Not recommended — this leaks all data from the URL.

What else to keep in mind

Using no-referrer (i.e., disabling URL transmission) when you need analytics — if you rely on referrer data for internal analytics or CSRF protection, completely blocking the referrer will break these mechanisms, and you won't receive any data.

Modern browsers use strict-origin-when-cross-origin by default, but older versions may send the full URL to external sites. So it's best to use modern browsers — they are more reliable when it comes to Referrer-Policy.

The bottom line is this — proper Referrer-Policy configuration is a balance between privacy and functionality. The value strict-origin-when-cross-origin works for most sites: your analytics keep working, and sensitive data from URLs doesn't leak out.

Check Your Site's Referrer-Policy

Scan your website for free and see if this header is correctly configured.

Scan Now →