Referrer Policy is an HTTP response header that governs how much information about the originating page is sent in the Referer header when a user navigates to another page or loads an external resource. By controlling referrer data, organizations can prevent sensitive information contained in URLs, such as tokens, session identifiers, and internal paths, from leaking to third parties.
How It Works
When a user clicks a link or a page loads an external resource like an image, script, or stylesheet, the browser typically sends a Referer header containing the URL of the originating page. If that URL contains sensitive data, such as a password reset token in the query string (/reset?token=abc123), the full URL is transmitted to the destination server in plaintext. Any external analytics service, CDN, or third-party resource loaded on the page receives this information.
The Referrer-Policy header allows site operators to control this behavior with several directive options. no-referrer strips the referrer entirely from all requests. same-origin sends the full referrer for same-origin requests but strips it for cross-origin navigation. strict-origin-when-cross-origin, the recommended default, sends the full URL for same-origin requests but only the origin (scheme and domain) for cross-origin requests, and sends nothing when downgrading from HTTPS to HTTP.
The policy can be set globally via an HTTP response header, per-element using the referrerpolicy HTML attribute, or through a <meta> tag. Setting it at the HTTP header level ensures consistent behavior across the entire application, including dynamically loaded content and JavaScript-initiated navigations.
Why It Matters
URL-based information leakage is a frequently reported vulnerability in security assessments. Sensitive tokens, internal API paths, and user identifiers in URLs can be exposed to third-party services through the referrer header. Configuring an appropriate Referrer Policy is a straightforward security hardening measure that prevents this class of information disclosure. Applications that handle sensitive data in URLs should implement strict-origin-when-cross-origin at minimum, with no-referrer for the most sensitive pages.
Need your application tested? Get in touch.