Referrer-Policy
The HTTP Referrer-Policy response header controls how much referrer information the browser includes in the Referer header when navigating away from a page.
Baseline: Widely available
Supported in all major browsers. webstatus.dev
Usage
When a browser follows a link or loads a subresource, the browser normally sends a Referer header containing the URL of the originating page. The Referrer-Policy header gives site operators control over what portion of the URL is shared, or whether the Referer header is sent at all.
Privacy-sensitive sites strip referrer information to prevent leaking query parameters, paths, or origin details to third parties. The policy applies to navigations, subresource requests, and prefetch operations initiated from the page.
A comma-separated list of policies serves as a fallback chain. The browser picks the last policy in the list the browser supports, making forward-compatible deployments straightforward.
Directives
no-referrer
The no-referrer directive suppresses the Referer header
entirely. No URL information is sent with any request
originating from the page.
no-referrer-when-downgrade
The no-referrer-when-downgrade directive sends the full URL
(origin, path, and query string) for same-protocol requests.
When the request downgrades security (HTTPS to HTTP), the
Referer header is omitted.
origin
The origin directive sends only the
origin portion of the URL (scheme, host, and
port). The path and query string are stripped from every
request.
origin-when-cross-origin
The origin-when-cross-origin directive sends the full URL
for same-origin requests. For cross-origin requests or
protocol downgrades, only the origin is sent.
same-origin
The same-origin directive sends the full URL for
same-origin requests and omits the Referer header entirely
for cross-origin requests.
strict-origin
The strict-origin directive sends only the origin, and only
when the security level of the protocol stays the same or
improves (HTTPS to HTTPS, or HTTP to HTTP). A protocol
downgrade suppresses the header.
strict-origin-when-cross-origin
The strict-origin-when-cross-origin directive sends the
full URL for same-origin requests, sends only the origin for
cross-origin requests at the same security level, and omits
the header on a protocol downgrade. This is the default
policy in modern browsers when no Referrer-Policy is set.
unsafe-url
The unsafe-url directive sends the full URL (origin, path,
and query string) with every request regardless of the
destination or protocol. This exposes the most information
and is rarely appropriate for production use.
Example
A strict default policy sending only the origin on cross-origin navigations:
Referrer-Policy: strict-origin-when-cross-origin
A privacy-focused configuration suppressing all referrer data:
Referrer-Policy: no-referrer
A fallback chain where the browser picks strict-origin if
supported, and falls back to no-referrer otherwise:
Referrer-Policy: no-referrer, strict-origin
Takeaway
The Referrer-Policy header determines how much of the originating URL the browser exposes in the Referer header, balancing analytics needs against privacy protection.