HTTP Headers
Referrer Policy
The HTTP Referrer-Policy
response header controls the amount of referrer information (sent with the Referer
header) that should be included with requests.
Besides the HTTP header, you can also set this policy within HTML.
Syntax
Syntax
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Note:
The header name Referer
is a misspelling of the word “referrer”. The Referrer-Policy
header does not share this misspelling.
Directives
Directives
no-referrer
The
Referer
header will be omitted: sent requests do not include any referrer information.no-referrer-when-downgrade
Send the origin, path, and query string in
Referer
when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don’t send theReferer
header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).origin
Send only the origin in the
Referer
header.
For example, a document athttps://example.com/page.html
will send the referrerhttps://example.com/
.origin-when-cross-origin
When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross-origin requests and requests to less secure destinations (HTTPS→HTTP).
same-origin
Send the origin, path, and query string for same-origin requests. Don’t send the
Referer
header for cross-origin requests.strict-origin
Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don’t send the
Referer
header to less secure destinations (HTTPS→HTTP).strict-origin-when-cross-origin
(default)Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don’t send the
Referer
header to less secure destinations (HTTPS→HTTP).Note:
This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default wasno-referrer-when-downgrade
.unsafe-url
Send the origin, path, and query string when performing any request, regardless of security.
Warning:
This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.
Example
You can set referrer policies within HTML by using a meta tag that specifies the policy for the entire document. For example, to set the referrer policy to origin for the whole page, include:
To specify referrer policies for individual elements like links, images, scripts, or iframes, you can add the referrerpolicy attribute directly to those elements:
For example:
<p>You can also specify the referrer policy for specific links or resources directly in your HTML code. For example:
Similarly, to prevent sending referrer information for a link, you can use the rel=”noreferrer” link relation:
<p>Note: When setting a referrer policy for the entire document with a meta tag, it should be written with a dash — for example, <meta name=”referrer” content=”no-referrer”> — unlike the HTML attribute rel=”noreferrer”.
CSS resources follow referrer policies as well. External stylesheets default to strict-origin-when-cross-origin unless overridden by the server sending a Referrer-Policy HTTP header. Style tags or style attributes inherit the referrer policy from the document.
Examples of different referrer policies:
no-referrer
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page | anywhere | (no referrer) |
no-referrer-when-downgrade
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://example.com/page | https://mozilla.org | https://example.com/page |
https://example.com/page | http://example.com | (no referrer) |
http://example.com/page | anywhere | http://example.com/page |
origin
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page | anywhere | https://example.com/ |
origin-when-cross-origin
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://example.com/page | https://mozilla.org | https://example.com/ |
https://example.com/page | http://example.com/page | https://example.com/ |
same-origin
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://example.com/page | https://mozilla.org | (no referrer) |
strict-origin
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page | https://mozilla.org | https://example.com/ |
https://example.com/page | http://example.com | (no referrer) |
http://example.com/page | anywhere | http://example.com/ |
strict-origin-when-cross-origin
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://example.com/page | https://mozilla.org | https://example.com/ |
https://example.com/page | http://example.com | (no referrer) |
unsafe-url
From document | Navigation to | Referrer used |
---|---|---|
https://example.com/page?q=123 | anywhere | https://example.com/page?q=123 |
If you need to specify multiple fallback policies in case some browsers do not support your desired policy, you can list them separated by commas, with the preferred policy last. For example:
<pre>Referrer-Policy: no-referrer, strict-origin-when-cross-origin</pre> in the HTTP header or:
<p>Note: Multiple policies in the header are only supported in the HTTP header, not in HTML attributes.</p>
Browser-specific settings allow you to configure how browsers handle referrer information. For example, in Firefox, you can set preferences:
- Firefox version 59 and later: network.http.referer.defaultPolicy, including a separate setting for private browsing mode.
- Versions 53 to 58: network.http.referer.userControlPolicy
All these preferences accept values as numbers: 0 for no-referrer, 1 for same-origin, 2 for strict-origin-when-cross-origin, and 3 for no-referrer-when-downgrade.
How to Modify Header using Requestly
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Referrer-Policy.
- In the “Header Value” field, enter the desired policy (e.g., no-referrer or strict-origin-when-cross-origin).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
- Save the rule.
Once set up, Requestly will inject the specified Referrer-Policy header into all matching requests, allowing you to test how different referrer settings impact your site’s privacy, security, or functionality.
Table of Contents
- No headings found.