HTTP - Referrer-Policy Header


The referrer policy is a security response header that modifies the algorithm used to populate the Referer header when:

  • fetching subresources,
  • prefetching,
  • or performing navigations.

It can also be set via a referrerpolicy attribute on HTML fetch element such as img


If you always send the referer, if the page is behind a security wall (not public but private), you will send/leak its URL.

If the URL contains sensitive information, it's even worse.

Example used by Gmail

Referrer-Policy: strict-origin-when-cross-origin

Value Syntax

Referrer-Policy: value

The value is explained in the below table.

Value Description
the empty string The default (ie no-referrer-when-downgrade)
no-referrer no referrer information is sent
no-referrer-when-downgrade default policy - referer is send from https only to http and from http to https on the same origin (more specifically to trustworthy URL)
same-origin send only with a same origin request
origin send for all request only the origin
ie for, the Referer value would be
strict-origin same as origin policy but only over https
origin-when-cross-origin for cross-origin request: same as origin policy
for same-origin request: send the full referer
strict-origin-when-cross-origin same as the policy origin-when-cross-origin but only over https (Used by gmail)
unsafe-url send always the referer (unsafe because if the page is behind a security wall (not public), you send its url)



It can be set as a response header (Ref)

Documentation / Reference

Discover More
HTML - Image (Img tag)

img is an fetch element that represents an image. An image in HTML can also be represented with a picture element that defines logically the same image but may have different physical image (different...
The referer identifies the URL of the page where the request originated.

This page shows you how to set and retrieve the referrer and points you to the specification for more details
What are the elements of security in HTTP? Security headers and cookie properties explained

In HTTP, the security is done via the setting of: response header known as security header that drives the execution of the browser page load cookies properties mostly samesite that control if the...

Share this page:
Follow us:
Task Runner