What it is
Referrer-Policy is an HTTP response header that controls how much referrer information (the URL of the page that linked to the current page) is sent in requests. Options range from no-referrer (send nothing) to unsafe-url (send full URL).
Why it matters
Default browser behavior can send the full URL as referrer, leaking query parameters and path information to third parties. Tightening Referrer-Policy (e.g. strict-origin-when-cross-origin or no-referrer-when-downgrade) reduces leakage and improves privacy.
How it is exploited
A password reset link like /reset?token=abc123 is opened in the browser, then the user clicks an outbound link in your footer. The browser sends the full URL as the Referer header to that third party, who now has a working reset token in their access logs. The same leak exposes internal admin paths and search queries to ad networks and analytics scripts.
How to fix it
- Choose a policy. Use strict-origin-when-cross-origin for a good balance: full URL for same-origin, origin only for cross-origin HTTPS, and no referrer when downgrading to HTTP. Use no-referrer if you want to send nothing.
- Add the header. Send Referrer-Policy on every response. Set it in your web server config (Nginx, Apache) or application middleware.
- Verify. Run Barrion's referrer policy check or inspect response headers in dev tools to confirm the header is present.
Examples by platform
Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"How to verify the fix
Confirm the Referrer-Policy header is present in HTTPS responses:
curl -sI https://example.com | grep -i referrer-policy