HTTP Security Header
Referrer-Policy
Governs which referrer information, sent in the Referer header, should be included with requests made.
Configuration Snapshot
- Header Name
- Referrer-Policy
- Primary Mitigation
- Privacy Leakage, Session Token Leakage
Example Configuration
Referrer-Policy: strict-origin-when-cross-origin
Implementation Best Practices
- Use strict-origin-when-cross-origin as a safe default
- Avoid no-referrer-when-downgrade unless necessary
- Do not pass sensitive URL parameters that could be leaked in referrers
Audit Your Configuration
Properly implementing Referrer-Policy is critical for achieving a robust security posture. A misconfigured header can leave your application exposed to client-side attacks or accidentally block legitimate functionality. Use our Security Headers auditing tool to evaluate your live production setup.
Scan Your Website