HTTP Headers
Referrer Policy
HTTP Header
The HTTP Referrer-Policy response header controls the amount of referrer information (sent with the Referer header) that should be included with requests.
Besides the HTTP header, you can also set this policy within HTML.
Syntax
Syntax
http
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Note:
The header name Referer is a misspelling of the word “referrer”. The Referrer-Policy header does not share this misspelling.
Directives
Directives
no-referrerThe
Refererheader will be omitted: sent requests do not include any referrer information.no-referrer-when-downgradeSend the origin, path, and query string in
Refererwhen the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don’t send theRefererheader for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).originSend only the origin in the
Refererheader.
For example, a document athttps://example.com/page.htmlwill send the referrerhttps://example.com/.origin-when-cross-originWhen performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross-origin requests and requests to less secure destinations (HTTPS→HTTP).
same-originSend the origin, path, and query string for same-origin requests. Don’t send the
Refererheader for cross-origin requests.strict-originSend only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don’t send the
Refererheader to less secure destinations (HTTPS→HTTP).strict-origin-when-cross-origin(default)Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don’t send the
Refererheader to less secure destinations (HTTPS→HTTP).Note:
This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default wasno-referrer-when-downgrade.unsafe-urlSend the origin, path, and query string when performing any request, regardless of security.
Warning:
This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.
Example
You can set referrer policies within HTML by using a meta tag that specifies the policy for the entire document. For example, to set the referrer policy to origin for the whole page, include:
To specify referrer policies for individual elements like links, images, scripts, or iframes, you can add the referrerpolicy attribute directly to those elements:
For example:
<p>You can also specify the referrer policy for specific links or resources directly in your HTML code. For example:
Similarly, to prevent sending referrer information for a link, you can use the rel=”noreferrer” link relation:
<p>Note: When setting a referrer policy for the entire document with a meta tag, it should be written with a dash — for example, <meta name=”referrer” content=”no-referrer”> — unlike the HTML attribute rel=”noreferrer”.
CSS resources follow referrer policies as well. External stylesheets default to strict-origin-when-cross-origin unless overridden by the server sending a Referrer-Policy HTTP header. Style tags or style attributes inherit the referrer policy from the document.
Examples of different referrer policies:
no-referrer
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page | anywhere | (no referrer) |
no-referrer-when-downgrade
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page | https://example.com/otherpage | https://example.com/page |
| https://example.com/page | https://mozilla.org | https://example.com/page |
| https://example.com/page | http://example.com | (no referrer) |
| http://example.com/page | anywhere | http://example.com/page |
origin
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page | anywhere | https://example.com/ |
origin-when-cross-origin
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page | https://example.com/otherpage | https://example.com/page |
| https://example.com/page | https://mozilla.org | https://example.com/ |
| https://example.com/page | http://example.com/page | https://example.com/ |
same-origin
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page | https://example.com/otherpage | https://example.com/page |
| https://example.com/page | https://mozilla.org | (no referrer) |
strict-origin
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page | https://mozilla.org | https://example.com/ |
| https://example.com/page | http://example.com | (no referrer) |
| http://example.com/page | anywhere | http://example.com/ |
strict-origin-when-cross-origin
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page | https://example.com/otherpage | https://example.com/page |
| https://example.com/page | https://mozilla.org | https://example.com/ |
| https://example.com/page | http://example.com | (no referrer) |
unsafe-url
| From document | Navigation to | Referrer used |
|---|---|---|
| https://example.com/page?q=123 | anywhere | https://example.com/page?q=123 |
If you need to specify multiple fallback policies in case some browsers do not support your desired policy, you can list them separated by commas, with the preferred policy last. For example:
<pre>Referrer-Policy: no-referrer, strict-origin-when-cross-origin</pre> in the HTTP header or:
<p>Note: Multiple policies in the header are only supported in the HTTP header, not in HTML attributes.</p>
Browser-specific settings allow you to configure how browsers handle referrer information. For example, in Firefox, you can set preferences:
- Firefox version 59 and later: network.http.referer.defaultPolicy, including a separate setting for private browsing mode.
- Versions 53 to 58: network.http.referer.userControlPolicy
All these preferences accept values as numbers: 0 for no-referrer, 1 for same-origin, 2 for strict-origin-when-cross-origin, and 3 for no-referrer-when-downgrade.
How to Modify Header using Requestly
Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Referrer-Policy header. This is especially useful when you want to control how much referral information is sent with requests, helping improve privacy and security or debug how your site behaves with different referral settings. Steps to Modify the Referrer-Policy Header:
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Referrer-Policy.
- In the “Header Value” field, enter the desired policy (e.g., no-referrer or strict-origin-when-cross-origin).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
- Save the rule.
Once set up, Requestly will inject the specified Referrer-Policy header into all matching requests, allowing you to test how different referrer settings impact your site’s privacy, security, or functionality.
Table of Contents
- No headings found.
