Skip to main content
CodeRocket
Securitymediumheaders

Set a Referrer-Policy header

rule · referrer-policy

When a user clicks a link or a page loads a resource, browsers send a Referer header to the destination server. The Referrer-Policy header controls how much of the originating URL is included in that header.

Code Example

HTTP
Referrer-Policy: strict-origin-when-cross-origin

Why It Matters

Without a Referrer-Policy, a password reset link such as /reset?token=abc123 is included in the Referer header when the user clicks an external link on that page, leaking the token to third parties.

Available Policy Values

ValueSame-origin requestsCross-origin HTTPSHTTPS → HTTP
no-referrerNothingNothingNothing
no-referrer-when-downgradeFull URLFull URLNothing
originOrigin onlyOrigin onlyOrigin only
origin-when-cross-originFull URLOrigin onlyOrigin only
same-originFull URLNothingNothing
strict-originOrigin onlyOrigin onlyNothing
strict-origin-when-cross-originFull URLOrigin onlyNothing
unsafe-urlFull URLFull URLFull URL

Recommended: strict-origin-when-cross-origin — this is the browser default as of Chrome 85+ and Firefox 87+. Set it explicitly to ensure consistent behavior across all browsers.

Server Configuration

Nginx

NGINX
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache

APACHE
<IfModule mod_headers.c>
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

Next.js

JavaScript
// next.config.js
const nextConfig = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin',
          },
        ],
      },
    ]
  },
}

Express.js (using Helmet)

JavaScript
import helmet from 'helmet'
 
app.use(
  helmet.referrerPolicy({
    policy: 'strict-origin-when-cross-origin',
  })
)

HTML Meta Tag (Page-level)

HTML
<meta name="referrer" content="strict-origin-when-cross-origin">

Per-Element Control

Override the policy for specific links or resources:

HTML
<!-- No referrer for this external link -->
<a href="https://external.com" referrerpolicy="no-referrer">External</a>
 
<!-- Send full URL only to same origin -->
<a href="https://partner.com/track" referrerpolicy="origin">Partner</a>
 
<!-- No referrer for this image request -->
<img src="https://analytics.example.com/pixel.gif" referrerpolicy="no-referrer">

What Gets Leaked Without a Policy

Consider a user on /reset-password?token=xK9mP2qR&user=42 who clicks an external link. Without a strict Referrer-Policy (opens in a new tab):

HTTP
Referer: https://app.example.com/reset-password?token=xK9mP2qR&user=42

The third-party site receives the full URL including the password reset token.

Exceptions

  • A missing or weak header should be evaluated against the live production response path, not only the framework or server config in isolation.
  • Legacy integrations or embedded third-party content may require narrowly scoped exceptions, but they should be documented explicitly instead of left permissive by default.
  • When multiple security headers are missing, prioritize the header that removes the highest exploitability or browser capability first.

Support Notes

  • The feature is supported across the current project browser matrix.
  • Baseline-compatible minimums: chrome 115, edge 115, firefox 116, safari 16.4, safari_ios 16.4.
  • Add a fallback or a narrower policy note when a required project target falls outside that support range.

Verification

Automated Checks

  • Inspect the effective response headers with curl, a security header scanner, or equivalent tooling against representative live responses.

Manual Checks

  • Verify the browser or user-facing behavior manually in a production-like flow and confirm there is no stronger conflicting security signal.