Referrer-Policy

The HTTP Referrer-Policy header contains instructions on how much information and what details are sent with the HTTP Referer header.

Table of Contents

Usage

The Referrer-Policy header contains directives that specify which and how much information is given to a server via the HTTP Referer header. It has several directives, as follows:

no-referrer

The no-referrer directive implies that the HTTP Referer header will not be sent and thus, HTTP requests will not contain such details.

no-referrer-when-downgrade

The no-referrer-when-downgrade directive stipulates that the origin, path, and query string will be sent with HTTP requests unless the HTTP Connection is downgraded to one that is less secure. For example, if the HTTP Connection is downgraded from HTTPS to HTTP, then the HTTP Referer header will not be included with HTTP requests.

origin

The origin directive indicates that only the client’s origin will be sent in the HTTP Referer header.

origin-when-cross-origin

When the origin-when-cross-origin directive is included, a same-origin HTTP request using the same protocol will include the origin, path, and query string. For cross-origin HTTP requests, as well as where the security of the protocol is downgraded, only the origin will be sent with the HTTP Referer header.

same-origin

The same-origin directive implies that the origin will be sent with each HTTP request, but the HTTP Referer header will not be included with cross-origin HTTP requests.

strict-origin

When the strict-origin directive is present, the origin will be sent but only when the security level of the protocol stays the same.

strict-origin-when-cross-origin

The strict-origin-when-cross-origin directive is the same as strict-origin, although the HTTP Referer header will not be sent for cross-origin HTTP requests. When no policy is specified then this is the default value. It is also used if the specified directive is not understood.

Note

Before November of 2020, the default directive was no-referrer-when-downgrade.

unsafe-url

The unsafe-url directive allows the origin, path, and query string to be included for any HTTP request, even when the security is minimal.

Setting a fallback policy

If a particular policy is not supported by the browser, then a fallback policy can be specified by using a comma-delimited list.

Example

In the first example, the strict-origin restriction is applied. However, in the second example, there is a fallback policy included. If the strict-origin directive is not supported then it will default to no-referrer.

Referrer-Policy: strict-origin
Referrer-Policy: no-referrer, strict-origin

Takeaway

The HTTP Referrer-Policy header is used to direct how much and which information to include with the HTTP Referer header.

See also

Last updated: June 20, 2022