Web Experience Platforms

Security

HTTP Header Series: Referrer-Policy

Thursday, December 05, 2019
Layer One - Director of Digital Delivery - Jim Schram

In our opening to this series, we discussed some of the reasons for Security Headers.  In this post we will describe in more detail the Referrer-Policy header which controls how much information is sent in the Referrer HTTP header.  While this is generally considered an “optional” header, its use is still advised to control the outward flow of your data.

 

Referrer-Policy Syntax:

Referrer-Policy: <Directive>

 

Referrer-Policy Directives:

Directive

Description

no-referrer

The simplest and most strict directive. Indicates that the Referer header will be omitted entirely. No referrer information is sent along with requests.

no-referrer-when-downgrade

This is the default behavior if no policy is specified, or if the provided value is invalid. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS → HTTPS), but isn’t sent to a less secure destination (HTTPS → HTTP).

origin

Only send the origin of the document as the referrer in all cases. (e.g. the document https://example.com/page.html will send the referrer https://example.com/.)

origin-when-cross-origin

Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.

same-origin

A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.

strict-origin

Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS → HTTPS), but don’t send it to a less secure destination (HTTPS → HTTP).

strict-origin-when-cross-origin

Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS → HTTPS), and send no header to a less secure destination (HTTPS → HTTP).

unsafe-url

Send a full URL (stripped from parameters) when performing a a same-origin or cross-origin request.

 

Examples:

Referrer-Policy: no-referrer

Referrer-Policy: origin

X
Cookies help us improve your website experience.
By using our website, you agree to our use of cookies.
Confirm