Referrer-Policy Directives

1 min read Web Security Fundamentals

Referrer-Policy Directives

The Referrer-Policy header supports multiple directives offering varying levels of privacy:

no-referrer: Never send referrer information

Referrer-Policy: no-referrer

no-referrer-when-downgrade: Don't send referrer when navigating from HTTPS to HTTP (default browser behavior)

Referrer-Policy: no-referrer-when-downgrade

origin: Send only the origin (protocol, host, and port)

Referrer-Policy: origin

origin-when-cross-origin: Send full URL for same-origin, only origin for cross-origin

Referrer-Policy: origin-when-cross-origin

same-origin: Send referrer only for same-origin requests

Referrer-Policy: same-origin

strict-origin: Send origin only when protocol security level stays same or improves

Referrer-Policy: strict-origin

strict-origin-when-cross-origin: Full URL for same-origin, origin only for cross-origin with same/better security

Referrer-Policy: strict-origin-when-cross-origin

unsafe-url: Always send full URL (not recommended)

Referrer-Policy: unsafe-url