Referrer-PolicyReferrer-Policy is a security/privacy header controlling how much origin information the browser includes in the Referer header when navigating to another page or requesting a resource. You can choose between the full URL, origin only, or nothing.
The value is one policy (or a list for fallback) ranging from no-referrer to strict-origin-when-cross-origin to unsafe-url.
The Referer header carries where the user came from, which can leak sensitive data in the path or query string (session tokens, search terms, internal URL structure). Referrer-Policy governs that leakage. For example, strict-origin-when-cross-origin sends the full URL for same-site navigation, only the scheme+host (origin) when leaving to an external site, and nothing when downgrading from HTTPS to HTTP.
This policy is the default in most current browsers and strikes a balance between privacy and utility (keeping external analytics and referrer stats). To be stricter use same-origin or no-referrer; if you never need a referrer, use no-referrer.
Besides the response header, the policy can also be set via <meta name="referrer">, or per-link with rel="noreferrer" and the referrerpolicy attribute, enabling page- and element-level granularity.
Referrer-Policy: <policy>[, <policy>]*e.g. Referrer-Policy: strict-origin-when-cross-origin
no-referrer | Never sends the Referer header at all. |
same-origin | Sends the full URL only for same-origin requests, nothing cross-origin. |
strict-origin | Sends only the origin, and nothing on an HTTPS to HTTP downgrade. |
strict-origin-when-cross-origin | Full URL same-origin, origin-only cross-origin, nothing on downgrade (the modern default). |
no-referrer-when-downgrade | Omits only on a security downgrade (HTTPS to HTTP), otherwise the full URL (the old default). |
origin / origin-when-cross-origin / unsafe-url | Always origin only / origin only when cross-origin / always the full URL (unsafe). |