HttpFixer โ†’ Glossary โ†’ Referrer-Policy
Security Header

Referrer-Policy

Last updated: April 2026

Referrer-Policy controls what information is sent in the Referer request header when users navigate from your page. Without it, the browser may send full URLs including sensitive query parameters to third-party sites.

Recommended value

Referrer-Policy: strict-origin-when-cross-origin

Sends the full URL for same-origin requests. Sends only the origin (no path or query) for cross-origin requests. This is the browser default since Chrome 85.

All policy values

no-referrer              # never send Referer header
no-referrer-when-downgrade  # don't send on HTTPS->HTTP (old default)
origin                   # send only the origin (https://yoursite.com)
origin-when-cross-origin # full URL same-origin, origin-only cross-origin
same-origin              # only send for same-origin requests
strict-origin            # origin only, never on HTTP
strict-origin-when-cross-origin  # recommended
unsafe-url               # always send full URL (insecure)

Set in Nginx

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Set per link in HTML

<a href="https://example.com" referrerpolicy="no-referrer">Link</a>
Related: Scan your headers live Security headers on Nginx Security headers on Vercel
📚 HttpFixer Glossary โ€” all terms โ†’