🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Referrer Policy

HTTP Header

The HTTP Referrer-Policy response header controls the amount of referrer information (sent with the Referer header) that should be included with requests.
Besides the HTTP header, you can also set this policy within HTML.

Syntax

Syntax

http
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Note:
The header name Referer is a misspelling of the word “referrer”. The Referrer-Policy header does not share this misspelling.

Directives

Directives

no-referrer

The Referer header will be omitted: sent requests do not include any referrer information.

no-referrer-when-downgrade

Send the origin, path, and query string in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don’t send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).

origin

Send only the origin in the Referer header.
For example, a document at https://example.com/page.html will send the referrer https://example.com/.

origin-when-cross-origin

When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross-origin requests and requests to less secure destinations (HTTPS→HTTP).

same-origin

Send the origin, path, and query string for same-origin requests. Don’t send the Referer header for cross-origin requests.

strict-origin

Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don’t send the Referer header to less secure destinations (HTTPS→HTTP).

strict-origin-when-cross-origin (default)

Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don’t send the Referer header to less secure destinations (HTTPS→HTTP).

Note:
This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.

unsafe-url

Send the origin, path, and query string when performing any request, regardless of security.

Warning:
This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

Example

You can set referrer policies within HTML by using a meta tag that specifies the policy for the entire document. For example, to set the referrer policy to origin for the whole page, include:

To specify referrer policies for individual elements like links, images, scripts, or iframes, you can add the referrerpolicy attribute directly to those elements:

For example:

<p>You can also specify the referrer policy for specific links or resources directly in your HTML code. For example:

Similarly, to prevent sending referrer information for a link, you can use the rel=”noreferrer” link relation:

<p>Note: When setting a referrer policy for the entire document with a meta tag, it should be written with a dash — for example, <meta name=”referrer” content=”no-referrer”> — unlike the HTML attribute rel=”noreferrer”.

CSS resources follow referrer policies as well. External stylesheets default to strict-origin-when-cross-origin unless overridden by the server sending a Referrer-Policy HTTP header. Style tags or style attributes inherit the referrer policy from the document.

Examples of different referrer policies:

no-referrer

From documentNavigation toReferrer used
https://example.com/pageanywhere(no referrer)

no-referrer-when-downgrade

From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.orghttps://example.com/page
https://example.com/pagehttp://example.com(no referrer)
http://example.com/pageanywherehttp://example.com/page

origin

From documentNavigation toReferrer used
https://example.com/pageanywherehttps://example.com/

origin-when-cross-origin

From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.orghttps://example.com/
https://example.com/pagehttp://example.com/pagehttps://example.com/

same-origin

From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.org(no referrer)

strict-origin

From documentNavigation toReferrer used
https://example.com/pagehttps://mozilla.orghttps://example.com/
https://example.com/pagehttp://example.com(no referrer)
http://example.com/pageanywherehttp://example.com/

strict-origin-when-cross-origin

From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.orghttps://example.com/
https://example.com/pagehttp://example.com(no referrer)

unsafe-url

From documentNavigation toReferrer used
https://example.com/page?q=123anywherehttps://example.com/page?q=123

If you need to specify multiple fallback policies in case some browsers do not support your desired policy, you can list them separated by commas, with the preferred policy last. For example:

<pre>Referrer-Policy: no-referrer, strict-origin-when-cross-origin</pre> in the HTTP header or:

<p>Note: Multiple policies in the header are only supported in the HTTP header, not in HTML attributes.</p>

Browser-specific settings allow you to configure how browsers handle referrer information. For example, in Firefox, you can set preferences:

  • Firefox version 59 and later: network.http.referer.defaultPolicy, including a separate setting for private browsing mode.
  • Versions 53 to 58: network.http.referer.userControlPolicy

All these preferences accept values as numbers: 0 for no-referrer, 1 for same-origin, 2 for strict-origin-when-cross-origin, and 3 for no-referrer-when-downgrade.

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Referrer-Policy header. This is especially useful when you want to control how much referral information is sent with requests, helping improve privacy and security or debug how your site behaves with different referral settings. Steps to Modify the Referrer-Policy Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Referrer-Policy.
    • In the “Header Value” field, enter the desired policy (e.g., no-referrer or strict-origin-when-cross-origin).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
  5. Save the rule.

Once set up, Requestly will inject the specified Referrer-Policy header into all matching requests, allowing you to test how different referrer settings impact your site’s privacy, security, or functionality.