Skip to main content

What is the Referrer-Policy?

The HTTP header that decides whether external sites see the full URL of your page, just the domain — or nothing at all — when someone follows a link to them.

What is the referrer anyway?

When a user clicks a link on your site that points to another site, the browser by default sends the URL of your current page along as the Referer header (yes, spelled this way — a historic typo immortalized in the RFC). The recipient can then see where the user came from. Sounds harmless, but often isn't: URLs frequently contain sensitive information — reset tokens, session IDs in the URL, internal paths, search queries.

Classic horror story: a webmail with URL-based auth tokens. If the user clicks a link in an email, the full URL string including the token is sent to the destination site — which can then log in as that user.

The eight values

By setting the Referrer-Policy header, you can control what gets transmitted:

  • no-referrer — never send a referrer. Maximum privacy protection, but can break analytics and anti-CSRF.
  • no-referrer-when-downgrade — only send the referrer when the destination is equally or more secure (HTTPS → HTTPS yes, HTTPS → HTTP no). Today's browser default in Chrome/Firefox.
  • origin — send only the origin (https://example.com/), not the path. Recommended if one privacy class is enough for you.
  • origin-when-cross-origin — full URL on same-origin requests, only origin on cross-origin.
  • same-origin — referrer only on same-origin requests; cross-origin gets none.
  • strict-origin — like origin, but only HTTPS → HTTPS or HTTP → HTTP. No referrer on a downgrade.
  • strict-origin-when-cross-origin — the modern default value in Chrome 85+ and Firefox 87+. Combination of origin-when-cross-origin and strict.
  • unsafe-url — always the full URL, even on a downgrade. Do not use.

Recommendation

For most sites, strict-origin-when-cross-origin is the right value — it's also the modern browser default and really only needs to be set explicitly to unify diverging browser defaults.

For especially privacy-sensitive sites (banks, health portals, legal advice): no-referrer or strict-origin. The trade-off: analytics tools can no longer see where the user came from.

Configuration examples

nginx:

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache:

Header always set Referrer-Policy "strict-origin-when-cross-origin"

HTML meta (fallback, e.g. for static pages):

<meta name="referrer" content="strict-origin-when-cross-origin">

Override per link

On individual links you can override the default behavior with the rel attribute: 

<a href="https://example.com" rel="noreferrer noopener">External link</a>

noreferrer acts like no-referrer for this single link. noopener additionally prevents the opened page from referring back to yours via window.opener (important with target="_blank").

Check it yourself: HTTP-Header

HSTS, CSP, X-Frame-Options & Co. Enter a domain and see in seconds how your REFERRER-POLICY is doing.

Also in the glossary

DMARC erklärt

DMARC

HSTS erklärt

HSTS

SSL/TLS erklärt

SSL

SPF erklärt

SPF

CSP erklärt

CSP

DKIM erklärt

DKIM

X-Frame-Options erklärt

X-FRAME-OPTIONS

Subresource Integrity erklärt

SUBRESOURCE-INTEGRITY

CORS erklärt

CORS

Cookie-Flags erklärt

COOKIE-FLAGS

DNSSEC erklärt

DNSSEC

CAA-Record erklärt

CAA-RECORD

Permissions-Policy erklärt

PERMISSIONS-POLICY

MIME-Sniffing & X-Content-Type-Options erklärt

MIME-SNIFFING