The Referer header is an integral part of HTTP requests, providing information about the source of a request. It reveals the URL of the referring website, offering insights into a user's online journey. While this information is valuable for analytics and content optimization, its unregulated exposure can pose privacy concerns. The "Referrer Policy" recipe empowers website owners to exert control over this aspect, influencing the behavior of the Referer header and safeguarding user privacy.
Why Install This Recipe?
Privacy Protection: The Referrer Policy is a crucial privacy tool that allows website owners to control the amount of information disclosed by the Referer header. Tailoring this policy is essential for protecting user privacy, as it influences what data is shared with external websites.
Mitigating Data Leakage: Uncontrolled exposure of Referer information can lead to unintended data leakage, disclosing sensitive URLs or user actions. By defining a Referrer Policy, website owners mitigate the risk of such inadvertent disclosures.
Regulatory Compliance: In a landscape of evolving privacy regulations, having control over Referer information aligns with privacy-focused standards. Implementing a Referrer Policy demonstrates a commitment to user privacy and regulatory compliance.
Choosing the Right Referrer Policy
| Policy name | Description |
|---|---|
no-referrer |
Sends no Referer information, enhancing user privacy but potentially impacting analytics data. |
no-referrer-when-downgrade |
Similar to no-referrer but only when navigating from https to http. Sends the full URL of the referer for requests performed on the same level of security (eg. https to https) and omits it for cross-level requests (eg. http to https). |
origin |
Sends only the origin (scheme, host, and port) of the referring URL. |
origin-when-cross-origin |
Sends the full URL for same-origin requests and only the origin for cross-origin requests. |
same-origin |
Sends the full URL for same-origin requests and omits it for cross-origin requests. |
strict-origin |
Sends the origin for requests performed on the same level of security (eg. https to https) and omits it for cross-level requests (eg. http to https). |
strict-origin-when-cross-origin |
Sends the full URL for same-origin requests. Send the origin only for cross-origin requests on the same level of security (eg. https to https). Else, omits the Referer header. |
unsafe-url |
Sends the full URL in all cases. We do not advise to use this policy, as it is the less privacy-friendly. |
Some advices on how to choose the policy
- Choose "
no-referrer" for maximum privacy, but be aware of potential impacts on analytics. - Consider "
strict-origin-when-cross-origin" for a balanced approach, revealing minimal information for cross-origin requests. - Evaluate specific use cases and privacy requirements to determine the most suitable policy.
Some examples
This matrix shows the Referer header sent by the browser for different scenarios, depending on the policy chosen, for a navigation from a page located at the URL https://example.com/page.
| Policy name | To URL | Referer header sent by the browser |
|---|---|---|
no-referrer |
anywhere | No Referer header |
no-referrer-when-downgrade |
http://example.com | No Referer header |
no-referrer-when-downgrade |
https://example.com/other-page | Referer: https://example.com/page |
no-referrer-when-downgrade |
http://google.com | No Referer header |
no-referrer-when-downgrade |
https://google.com | Referer: https://example.com/page |
origin |
anywhere | Referer: https://example.com/ |
origin-when-cross-origin |
http://example.com | No Referer header |
origin-when-cross-origin |
https://example.com/other-page | Referer: https://example.com/page |
origin-when-cross-origin |
http://google.com | Referer: https://example.com/ |
origin-when-cross-origin |
https://google.com | Referer: https://example.com/ |
same-origin |
https://example.com/other-page | Referer: https://example.com/page |
same-origin |
http://example.com | No Referer header |
same-origin |
https://google.com | No Referer header |
strict-origin |
https://example.com/other-page | Referer: https://example.com/ |
strict-origin |
http://example.com/other-page | No Referer header |
strict-origin |
https://google.com | Referer: https://example.com/ |
strict-origin |
http://google.com | No Referer header |
strict-origin-when-cross-origin |
https://example.com/other-page | Referer: https://example.com/page |
strict-origin-when-cross-origin |
http://example.com/other-page | No Referer header |
strict-origin-when-cross-origin |
https://google.com | Referer: https://example.com/ |
strict-origin-when-cross-origin |
http://google.com | No Referer header |
unsafe-url |
anywhere | Referer: https://example.com/page |
How to install this recipe on my website with redirection.io?
Installing this recipe on your website requires the following steps:
- Choose the policy to apply: In the form below, choose the policy to apply. You can find more information about the different policies in the "Choosing the Right Referrer Policy" section.
- Click on the "Install on my website" button: Execute the installation process by clicking the "Install" button. This action creates the necessary rule in "Draft" mode for applying the selected Referrer Policy to your website.
- Review the created rule: Review the created rule to make sure that it accurately reflects your configuration. If necessary, you can edit the rule before publishing it on your website.
- Publish on your website: Finalize the installation by publishing the rule on your website. This ensures that the Referrer Policy is applied to your website, protecting user privacy and mitigating the risk of data leakage.
