The HTTP Referrer-Policy response header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
no-referrer | The Referer header will be omitted: sent requests do not include any referrer information. |
---|---|
no-referrer-when-downgrade | Send the origin, path, and query string in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file). |
origin | Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/. |
origin-when-cross-origin | When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP). |
same-origin | Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests. |
strict-origin | Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP). |
strict-origin-when-cross-origin | Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP). |
unsafe-url | Send the origin, path, and query string when performing any request, regardless of security. |
The server default is strict-origin-when-cross-origin.
The data in the Referer header is usually used for analytics and logging. However there can be privacy and security risks. The data could be used e.g. for user tracking and the data could leak to third parties who eavesdrop the connection. The HTTP header for Referrer-Policy allows you to mitigate these risks by controlling and even minimizing the sending of referrer data.
We suggest to make an informed decision, with privacy and security risks in mind, on using one of the policy values from the first two categories below.
Good | no-referrer same-origin | With these policy values no sensitive referrer data is sent to third parties. |
---|---|---|
Warning | strict-origin strict-origin-when-cross-origin | With these policy values basic referrer data, which may be sensitive, is sent to third parties only via secure connections (HTTPS). Therefore these values should only to be used where necessary and permitted by law. |
Bad | no-referrer-when-downgrade origin-when-cross-origin origin unsafe-url | With these policy values any or basic referrer data, which may be sensitive, is sent to third parties possibly via insecure connections (HTTP). Therefore these values must not be used. |
As an example we will use same-origin.
This is the preferred option.
# cd /etc/httpd/conf/ # vi httpd.conf Header always set Referrer-Policy "same-origin" # httpd -t # systemctl restart httpd
This option should only be used if you need a different policy for this site.
This must be set in the virtual host *:443 section.
# cd /etc/httpd/conf/vhosts/ # vi <URL>.conf Header always set Referrer-Policy "same-origin" # httpd -t # systemctl restart httpd