Referrer Policy
What is Referrer Policy?
Referrer PolicyHTTP response header (or meta tag) that controls how much of the originating URL the browser shares in the Referer header on outgoing requests.
The Referrer-Policy header lets a site limit the information leaked in the Referer header when users click links, load subresources, or trigger navigations. Without restriction, full URLs (including query parameters containing tokens, IDs, or PII) can flow to third-party servers, analytics, and ad networks. Values range from no-referrer (send nothing) to strict-origin-when-cross-origin (send origin only across origins) and unsafe-url (send the full URL). The current Chromium and Firefox default is strict-origin-when-cross-origin. Setting an explicit, restrictive policy is a low-cost privacy and data-leakage control.
● Examples
- 01
Referrer-Policy: strict-origin-when-cross-origin
- 02
Removing session tokens leaked through Referer headers to embedded ad scripts.
● Frequently asked questions
What is Referrer Policy?
HTTP response header (or meta tag) that controls how much of the originating URL the browser shares in the Referer header on outgoing requests. It belongs to the Application Security category of cybersecurity.
What does Referrer Policy mean?
HTTP response header (or meta tag) that controls how much of the originating URL the browser shares in the Referer header on outgoing requests.
How does Referrer Policy work?
The Referrer-Policy header lets a site limit the information leaked in the Referer header when users click links, load subresources, or trigger navigations. Without restriction, full URLs (including query parameters containing tokens, IDs, or PII) can flow to third-party servers, analytics, and ad networks. Values range from no-referrer (send nothing) to strict-origin-when-cross-origin (send origin only across origins) and unsafe-url (send the full URL). The current Chromium and Firefox default is strict-origin-when-cross-origin. Setting an explicit, restrictive policy is a low-cost privacy and data-leakage control.
How do you defend against Referrer Policy?
Defences for Referrer Policy typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- appsec№ 496
HTTP Security Headers
Response headers that instruct browsers to enforce defensive behaviour such as HTTPS-only, framing restrictions, content policies and referrer controls.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- appsec№ 960
Same-Origin Policy (SOP)
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.
- appsec№ 223
CORS (Cross-Origin Resource Sharing)
A browser-enforced mechanism that lets a server selectively relax the Same-Origin Policy so that JavaScript on one origin can read responses from another.
- appsec№ 983
Secure Cookie Flag
A cookie attribute that tells the browser to send the cookie only over HTTPS, preventing exposure in cleartext on the network.
- appsec№ 961
SameSite Cookie
A cookie attribute that controls whether browsers attach the cookie on cross-site requests, with values Strict, Lax and None, used primarily to mitigate CSRF.