HTTP - Referrer-Policy Header


The referrer policy is a security response header that modifies the algorithm used to populate the Referer header when:

  • fetching subresources,
  • prefetching,
  • or performing navigations.

It can also be set via a referrerpolicy attribute on HTML fetch element such as img


If you always send the referer, if the page is behind a security wall (not public but private), you will send/leak its URL.

If the URL contains sensitive information, it's even worse.

Example used by Gmail

Referrer-Policy: strict-origin-when-cross-origin

Value Syntax

Referrer-Policy: value

The value is explained in the below table.

Value Description
the empty string The default (ie no-referrer-when-downgrade)
no-referrer no referrer information is sent
no-referrer-when-downgrade default policy - referer is send from https only to http and from http to https on the same origin (more specifically to trustworthy URL)
same-origin send only with a same origin request
origin send for all request only the origin
ie for, the Referer value would be
strict-origin same as origin policy but only over https
origin-when-cross-origin for cross-origin request: same as origin policy
for same-origin request: send the full referer
strict-origin-when-cross-origin same as the policy origin-when-cross-origin but only over https (Used by gmail)
unsafe-url send always the referer (unsafe because if the page is behind a security wall (not public), you send its url)



It can be set as a response header (Ref)

Documentation / Reference

Powered by ComboStrap