Referrer-Policy header - HTTP | MDN (original) (raw)
Baseline
Widely available *
The HTTP Referrer-Policy response header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
| Header type | Response header |
|---|---|
| Forbidden request header | No |
Syntax
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
**Note:**The header name Referer is a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.
Directives
The Referer header will be omitted: sent requests do not include any referrer information.
Send the origin, path, and query string in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.
When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).
Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests.
Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
strict-origin-when-cross-origin (default)
Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
**Note:**This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.
Send the origin, path, and query string when performing any request, regardless of security.
**Warning:**This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.
Integration with HTML
You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a element with a name of referrer:
<meta name="referrer" content="origin" />