Referrer-Policy
The HTTP Referrer-Policy header contains instructions on how much information and what details are sent with the HTTP Referer header.
Usage
The Referrer-Policy header contains directives that specify which and how much information is given to a server via the HTTP Referer header. It has several directives, as follows:
no-referrer
The no-referrer directive implies that the HTTP Referer header will not be sent and thus, HTTP requests will not contain such details.
no-referrer-when-downgrade
The no-referrer-when-downgrade directive stipulates that the origin, path, and query string will be sent with HTTP requests unless the HTTP Connection is downgraded to one that is less secure. For example, if the HTTP Connection is downgraded from HTTPS to HTTP, then the HTTP Referer header will not be included with HTTP requests.
origin
The origin directive indicates that only the client’s origin will be sent in the HTTP Referer header.
origin-when-cross-origin
When the origin-when-cross-origin directive is included, a same-origin HTTP request using the same protocol will include the origin, path, and query string. For cross-origin HTTP requests, as well as where the security of the protocol is downgraded, only the origin will be sent with the HTTP Referer header.
same-origin
The same-origin directive implies that the origin will be sent with each HTTP request, but the HTTP Referer header will not be included with cross-origin HTTP requests.
strict-origin
When the strict-origin directive is present, the origin will be sent but only when the security level of the protocol stays the same.
strict-origin-when-cross-origin
The strict-origin-when-cross-origin directive is the same as strict-origin, although the HTTP Referer header will not be sent for cross-origin HTTP requests. When no policy is specified then this is the default value. It is also used if the specified directive is not understood.
Note
Before November of 2020, the default directive was no-referrer-when-downgrade.
unsafe-url
The unsafe-url directive allows the origin, path, and query string to be included for any HTTP request, even when the security is minimal.
Setting a fallback policy
If a particular policy is not supported by the browser, then a fallback policy can be specified by using a comma-delimited list.
Example
In the first example, the strict-origin restriction is applied. However, in the second example, there is a fallback policy included. If the strict-origin directive is not supported then it will default to no-referrer.
Referrer-Policy: strict-origin
Referrer-Policy: no-referrer, strict-origin
Takeaway
The HTTP Referrer-Policy header is used to direct how much and which information to include with the HTTP Referer header.