The Referrer-Policy header controls how much URL information the browser includes in the Referer header when users navigate away from your pages. Without it, sensitive URL paths — including query strings with user IDs or session tokens — can leak to third-party sites. This guide shows how to set the header across all major web servers and platforms.
Choosing a Policy Value
| Value | What Is Sent | Best For |
|---|---|---|
no-referrer | Nothing — Referer header is omitted entirely | Maximum privacy; breaks referrer-based analytics |
no-referrer-when-downgrade | Full URL on HTTPS→HTTPS; nothing on HTTPS→HTTP | Legacy default; not recommended (leaks paths to same-scheme third parties) |
strict-origin-when-cross-origin | Full URL on same-origin; origin only on cross-origin HTTPS; nothing on HTTP | Recommended for most sites — good balance of privacy and analytics |
strict-origin | Origin only on HTTPS; nothing on HTTP downgrades | Sites that need to minimise referrer data to third parties |
same-origin | Full URL on same-origin only; nothing cross-origin | Sites that want no referrer data sent to any third party |
origin | Origin only, always | Sites needing referrer data but not full paths |
unsafe-url | Full URL always, including to HTTP sites | Avoid — leaks sensitive paths even on downgrades |
Recommended Value
strict-origin-when-cross-origin is the browser default since Chrome 85 and the recommended value for most sites. Setting it explicitly ensures consistent behaviour across all browsers and documents your intent for security auditors.Nginx
nginx
server {
listen 443 ssl;
server_name example.com;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# ... rest of config
}bash
sudo nginx -t && sudo systemctl reload nginxApache
apache
<VirtualHost *:443>
<IfModule mod_headers.c>
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
</VirtualHost>Or in .htaccess:
apache
<IfModule mod_headers.c>
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>bash
sudo a2enmod headers && sudo systemctl reload apache2IIS (web.config)
xml
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
</customHeaders>
</httpProtocol>
</system.webServer>Caddy
Command
example.com {
header Referrer-Policy "strict-origin-when-cross-origin"
# ... rest of config
}Cloudflare (Transform Rules)
- Go to Rules → Transform Rules → Modify Response Header.
- Add a rule with Operation: Set, Header name: Referrer-Policy, Value: strict-origin-when-cross-origin.
- Deploy the rule.
Next.js
javascript
// next.config.mjs
const nextConfig = {
async headers() {
return [
{
source: '/(.*)',
headers: [
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin',
},
],
},
];
},
};
export default nextConfig;Setting via HTML Meta Tag
You can also set a per-page referrer policy using an HTML <meta> tag in the <head>. This is useful for pages where you need a different policy than the server-wide default:
html
<meta name="referrer" content="strict-origin-when-cross-origin">The HTTP header takes precedence over the meta tag when both are present.
Verifying the Header
bash
curl -I https://example.com | grep -i referrer
# Expected: referrer-policy: strict-origin-when-cross-originOr use the ShowDNS Security Headers Scanner.