The HTTP Referer
header indicates the web page that led a visitor to your site. While very useful for traffic analysis, it can create a privacy risk by revealing the URL of the previous page, which can sometimes contain sensitive information.
The Referrer-Policy
header allows you to precisely control this information. This recipe helps you easily configure this essential security header to control the data your site shares with external sites.
Why install this recipe?
Protect user privacy: Limit the sharing of sensitive Browse information, such as internal page URLs or query parameters, to external sites.
Enhance security: Prevent leaks of URLs containing sensitive information (like a password reset link) to third parties.
Improve compliance: Adopting a strict policy is a good practice that aligns with data protection regulations, such as the GDPR.
Choosing the right Referrer policy
Policy name | Description |
---|---|
no-referrer |
Sends no Referer information, which enhances user privacy but may impact analytics data. |
no-referrer-when-downgrade |
Similar to no-referrer but only when navigating from https to http . Sends the full referrer URL on same-security-level requests, but sends no referrer information on requests from a secure (https) to an insecure (http) origin. |
origin |
Sends only the origin (scheme, host, and port) of the referring URL. |
origin-when-cross-origin |
Sends the full URL for same-origin requests and only the origin for cross-origin requests. |
same-origin |
Sends the full URL for same-origin requests and omits it for cross-origin requests. |
strict-origin |
Sends the origin for same-security-level requests (e.g., https to https) but omits it for less secure destinations (e.g., https to http). |
strict-origin-when-cross-origin |
Sends the full URL for same-origin requests. Sends only the origin for cross-origin requests at the same security level (e.g., https to https). Otherwise, omits the Referer header. |
unsafe-url |
Sends the full URL in all cases. We do not advise using this policy, as it is less privacy-friendly. |
Which policy to choose? Our recommendations
- Maximum privacy: Choose
no-referrer
. No information is sent, but this may affect the accuracy of your analytics tools. - The best balance (Recommended):
strict-origin-when-cross-origin
is the most common choice. It preserves privacy while sharing the origin (the domain name) with external sites, which is often useful. - For internal use:
same-origin
is a good option if you only want theReferer
for navigation within your own site.
Some examples
This matrix shows the Referer header sent by the browser for different scenarios, depending on the chosen policy, for navigation from a page at the URL https://example.com/page
.
Policy name | To URL | Referer header sent by the browser |
---|---|---|
no-referrer |
anywhere | No Referer header |
no-referrer-when-downgrade |
http://example.com | No Referer header |
no-referrer-when-downgrade |
https://example.com/other-page | Referer: https://example.com/page |
no-referrer-when-downgrade |
http://google.com | No Referer header |
no-referrer-when-downgrade |
https://google.com | Referer: https://example.com/page |
origin |
anywhere | Referer: https://example.com/ |
origin-when-cross-origin |
http://example.com | No Referer header |
origin-when-cross-origin |
https://example.com/other-page | Referer: https://example.com/page |
origin-when-cross-origin |
http://google.com | Referer: https://example.com/ |
origin-when-cross-origin |
https://google.com | Referer: https://example.com/ |
same-origin |
https://example.com/other-page | Referer: https://example.com/page |
same-origin |
http://example.com | No Referer header |
same-origin |
https://google.com | No Referer header |
strict-origin |
https://example.com/other-page | Referer: https://example.com/ |
strict-origin |
http://example.com/other-page | No Referer header |
strict-origin |
https://google.com | Referer: https://example.com/ |
strict-origin |
http://google.com | No Referer header |
strict-origin-when-cross-origin |
https://example.com/other-page | Referer: https://example.com/page |
strict-origin-when-cross-origin |
http://example.com/other-page | No Referer header |
strict-origin-when-cross-origin |
https://google.com | Referer: https://example.com/ |
strict-origin-when-cross-origin |
http://google.com | No Referer header |
unsafe-url |
anywhere | Referer: https://example.com/page |
How to install this recipe on my website with redirection.io?
Installing this recipe on your website requires the following steps:
- Choose your policy: Select the
Referrer-Policy
to apply. You can find more information about the different policies in the "Choosing the right referrer policy" section. - Install the recipe: Click the install button. A new rule will be automatically created for you in "draft" mode.
- Review the rule: Take a look at the generated rule. You can edit it if needed before publishing.
- Publish to your site: Once the rule is validated, publish it. The
Referrer-Policy
header will be active on your site within a few seconds.