The HTTP Referer header indicates the web page that led a visitor to your site. While very useful for traffic analysis, it can create a privacy risk by revealing the URL of the previous page, which can sometimes contain sensitive information.

The Referrer-Policy header allows you to precisely control this information. This recipe helps you easily configure this essential security header to control the data your site shares with external sites.

Why install this recipe?

Protect user privacy: Limit the sharing of sensitive Browse information, such as internal page URLs or query parameters, to external sites.

Enhance security: Prevent leaks of URLs containing sensitive information (like a password reset link) to third parties.

Improve compliance: Adopting a strict policy is a good practice that aligns with data protection regulations, such as the GDPR.

Choosing the right Referrer policy

Policy name Description
no-referrer Sends no Referer information, which enhances user privacy but may impact analytics data.
no-referrer-when-downgrade Similar to no-referrer but only when navigating from https to http. Sends the full referrer URL on same-security-level requests, but sends no referrer information on requests from a secure (https) to an insecure (http) origin.
origin Sends only the origin (scheme, host, and port) of the referring URL.
origin-when-cross-origin Sends the full URL for same-origin requests and only the origin for cross-origin requests.
same-origin Sends the full URL for same-origin requests and omits it for cross-origin requests.
strict-origin Sends the origin for same-security-level requests (e.g., https to https) but omits it for less secure destinations (e.g., https to http).
strict-origin-when-cross-origin Sends the full URL for same-origin requests. Sends only the origin for cross-origin requests at the same security level (e.g., https to https). Otherwise, omits the Referer header.
unsafe-url Sends the full URL in all cases. We do not advise using this policy, as it is less privacy-friendly.

Which policy to choose? Our recommendations

  • Maximum privacy: Choose no-referrer. No information is sent, but this may affect the accuracy of your analytics tools.
  • The best balance (Recommended): strict-origin-when-cross-origin is the most common choice. It preserves privacy while sharing the origin (the domain name) with external sites, which is often useful.
  • For internal use: same-origin is a good option if you only want the Referer for navigation within your own site.

Some examples

This matrix shows the Referer header sent by the browser for different scenarios, depending on the chosen policy, for navigation from a page at the URL https://example.com/page.

Policy name To URL Referer header sent by the browser
no-referrer anywhere No Referer header
no-referrer-when-downgrade http://example.com No Referer header
no-referrer-when-downgrade https://example.com/other-page Referer: https://example.com/page
no-referrer-when-downgrade http://google.com No Referer header
no-referrer-when-downgrade https://google.com Referer: https://example.com/page
origin anywhere Referer: https://example.com/
origin-when-cross-origin http://example.com No Referer header
origin-when-cross-origin https://example.com/other-page Referer: https://example.com/page
origin-when-cross-origin http://google.com Referer: https://example.com/
origin-when-cross-origin https://google.com Referer: https://example.com/
same-origin https://example.com/other-page Referer: https://example.com/page
same-origin http://example.com No Referer header
same-origin https://google.com No Referer header
strict-origin https://example.com/other-page Referer: https://example.com/
strict-origin http://example.com/other-page No Referer header
strict-origin https://google.com Referer: https://example.com/
strict-origin http://google.com No Referer header
strict-origin-when-cross-origin https://example.com/other-page Referer: https://example.com/page
strict-origin-when-cross-origin http://example.com/other-page No Referer header
strict-origin-when-cross-origin https://google.com Referer: https://example.com/
strict-origin-when-cross-origin http://google.com No Referer header
unsafe-url anywhere Referer: https://example.com/page

How to install this recipe on my website with redirection.io?

Installing this recipe on your website requires the following steps:

  1. Choose your policy: Select the Referrer-Policy to apply. You can find more information about the different policies in the "Choosing the right referrer policy" section.
  2. Install the recipe: Click the install button. A new rule will be automatically created for you in "draft" mode.
  3. Review the rule: Take a look at the generated rule. You can edit it if needed before publishing.
  4. Publish to your site: Once the rule is validated, publish it. The Referrer-Policy header will be active on your site within a few seconds.

Discover our recipes to improve your website's quality in one click

redirection.io's recipes are a powerful feature designed to simplify the implementation of front-end quality best practices for your websites. Think of them as a curated "app store" for your site, offering a variety of pre-configured solutions that can be installed with a single click.

Discover all redirection.io recipes