The HTTP Referrer-Policy header contains instructions on how much information and what details are sent with the HTTP Referer header.
The Referrer-Policy header contains directives that specify which and how much information is given to a server via the HTTP Referer header. It has several directives, as follows:
no-referrer directive implies that the HTTP Referer header will not be sent and thus, HTTP requests will not contain such details.
no-referrer-when-downgrade directive stipulates that the origin, path, and query string will be sent with HTTP requests unless the HTTP Connection is downgraded to one that is less secure. For example, if the HTTP Connection is downgraded from HTTPS to HTTP, then the HTTP Referer header will not be included with HTTP requests.
origin directive indicates that only the client’s origin will be sent in the HTTP Referer header.
origin-when-cross-origin directive is included, a same-origin HTTP request using the same protocol will include the origin, path, and query string. For cross-origin HTTP requests, as well as where the security of the protocol is downgraded, only the origin will be sent with the HTTP Referer header.
same-origin directive implies that the origin will be sent with each HTTP request, but the HTTP Referer header will not be included with cross-origin HTTP requests.
strict-origin directive is present, the origin will be sent but only when the security level of the protocol stays the same.
strict-origin-when-cross-origin directive is the same as
strict-origin, although the HTTP Referer header will not be sent for cross-origin HTTP requests. When no policy is specified then this is the default value. It is also used if the specified directive is not understood.
Before November of 2020, the default directive was
unsafe-url directive allows the origin, path, and query string to be included for any HTTP request, even when the security is minimal.
Setting a fallback policy
If a particular policy is not supported by the browser, then a fallback policy can be specified by using a comma-delimited list.
In the first example, the
strict-origin restriction is applied. However, in the second example, there is a fallback policy included. If the
strict-origin directive is not supported then it will default to
Referrer-Policy: strict-origin Referrer-Policy: no-referrer, strict-origin
The HTTP Referrer-Policy header is used to direct how much and which information to include with the HTTP Referer header.