Introduction to Referrer Policy
Summary
Referrer Policy is a critical HTTP mechanism to reduce privacy risks by limiting what referrer information browsers send with requests. This article explains how.
Introduction #
The Referrer Policy is a browser-based security mechanism that gives you control over how much referrer information is included with requests from your website. Referrer data, if not properly controlled, can lead to unintended exposure of sensitive or personal information.
The Referer HTTP header tells the target server the origin of the request. For example, when a user clicks a link on your site to another site, your page URL is sent as the referrer. This information is often used for analytics, logging, and debugging, but it can also carry private data, especially if URLs contain sensitive query parameters or identifiers.
The header name referer is incorrectly spelled—it should be referrer. In the Referrer Policy it is spelled correctly. For additional information, refer to the Wikipedia page on HTTP referer.
Why the Referer header is a privacy issue #
The main privacy risk is that the header can expose the full URL of the page the user came from, including sensitive information such as:
- User IDs in query strings
- Search terms
- Session tokens
- Personal identifiers
When third-party content is embedded (ads, scripts, iframes), this information can be unintentionally leaked to external domains. This increases the risk of surveillance, profiling, and data harvesting.
General Data Protection Regulation (GDPR) #
By setting a restrictive Referrer Policy, you can ensure that URLs containing personal data are not shared with third parties unnecessarily. This supports both data minimization and privacy-by-design principles.
Under the General Data Protection Regulation (GDPR), organizations must implement appropriate measures to protect personal data. Relevant parts include:
- Recital 83
Emphasizes secure processing of personal data. - Article 5.1.c
Data minimization — only the minimum necessary data should be processed. - Article 25
Data protection by design and by default. - Article 32.2
Preventing unnecessary disclosure of personal data.
Referrer Policy syntax #
You can define a Referrer Policy using either of the following methods:
Server #
On your server, you can define a Referrer Policy with the following syntax:
Referrer-Policy: <directive>
Example:
Referrer-Policy: same-origin
HTML #
Within an HTML document, you can define a Referrer Policy in two ways:
HTML document #
To control referrer behavior of all elements within a HTML document, use the meta tag:
<meta name="referrer" content="<directive>">
Example:
<meta name="referrer" content="same-origin">
Specific HTML tags #
To control referrer behavior for individual elements, apply the referrerpolicy attribute to elements like <a>, <area>, <img>, <iframe>, <script>, or <link>.
<a href="http://example.com" referrerpolicy="<directive>">…</a>
Example:
<a href="http://example.com" referrerpolicy="same-origin">…</a>
You can also use the rel="noreferrer" attribute on <a>, <area>, or <link> elements to disable referrer information.
The noreferrer" link relation is written without a dash. However, when setting the referrer policy for the entire document using a <meta> tag, the correct spelling includes a dash: <meta name="referrer" content="no-referrer">.
Referrer Policy directives #
| Directive | Description |
|---|---|
no-referrer | Never send the Referer header. |
no-referrer-when-downgrade | Send full URL to same or secure protocols (HTTPS → HTTPS), but not to insecure (HTTPS → HTTP). |
origin | Only send the origin (scheme, host, and port), not the full path. |
origin-when-cross-origin | Send full URL for same-origin requests, origin only for cross-origin. |
same-origin | Send full URL only for same-origin requests. No header for cross-origin. |
strict-origin | Like origin, but do not send on downgrade (HTTPS → HTTP). |
strict-origin-when-cross-origin | Full URL for same-origin, origin for cross-origin if not downgraded. Default in modern browsers. |
unsafe-url | Always send full URL, even to less secure destinations. Strongly discouraged. |
Fallback policy #
If no policy is explicitly set, modern browsers default to strict-origin-when-cross-origin. This provides a good balance between usability and privacy.
Older browsers may fall back to no-referrer-when-downgrade.
Examples #
no-referrer #
With no-referrer, the Referer header is never sent.
Example:
- From:
https://example.com/page1
To:https://example.net/page2
Referrer sent: None
no-referrer-when-downgrade #
With no-referrer-when-downgrade, the full URL is sent only if the destination is the same or more secure (HTTPS → HTTPS).
Nothing is sent when navigating to a less secure origin (HTTPS → HTTP).
Examples:
From:
https://example.com/page1
To:https://example.net/page2
Referrer sent:https://example.com/page1From:
https://example.com/page1
To:http://example.net/page2
Referrer sent: None
origin #
With origin, only the origin is sent, never the full path or query parameters.
Example:
- From:
https://example.com/page1?user=42
To:https://example.net/page2
Referrer sent:https://example.com
origin-when-cross-origin #
With origin-when-cross-origin, the full URL is sent for same-origin requests, while only the origin is sent for cross-origin.
Examples:
From:
https://example.com/page1
To:https://example.com/page2
Referrer sent:https://example.com/page1From:
https://example.com/page1
To:https://example.net/page2
Referrer sent:https://example.com
same-origin #
With same-origin, the full URL is sent only if the request is same-origin. No Referer is sent to cross-origin destinations.
Examples:
From:
https://example.com/page1
To:https://example.com/page2
Referrer sent:https://example.com/page1From:
https://example.com/page1
To:https://example.net/page2
Referrer sent: None
strict-origin #
With strict-origin, the origin is sent for same- and cross-origin requests only if they are not downgraded (i.e., HTTPS → HTTP).
Examples:
From:
https://example.com/page1
To:https://example.net/page2
Referrer sent:https://example.comFrom:
https://example.com/page1
To:http://example.net/page2
Referrer sent: None
strict-origin-when-cross-origin (default) #
With strict-origin-when-cross-origin, the full URL is sent for same-origin requests. Only the origin is sent for cross-origin requests. No Referer is sent when navigating from HTTPS to HTTP.
Examples:
From:
https://example.com/page1
To:https://example.com/page2
Referrer sent:https://example.com/page1From:
https://example.com/page1
To:https://example.net/page2
Referrer sent:https://example.comFrom:
https://example.com/page1
To:http://example.net/page2
Referrer sent: None
unsafe-url #
Using unsafe-url, always sends the full URL, including path and query parameters, regardless of security context. This directive is discouraged due to its high privacy risk.
Example:
- From:
https://example.com/page1?user=42
To:http://example.net/page2
Referrer sent:https://example.com/page1?user=42
FAQ's #
Most common questions and brief, easy-to-understand answers on the topic:
What is the difference between 'referrer' and 'referer'?
The correct word is 'referrer', but due to a historical misspelling in the HTTP specification, the HTTP header is named 'Referer'.
Why is the Referrer header a privacy issue?
It can leak sensitive information from the referring URL to third-party websites, such as query parameters, search terms, or personal identifiers.
Which Referrer Policy is safest to use?
The safest is no-referrer, which sends no referrer information. However, strict-origin-when-cross-origin offers a strong balance between functionality and privacy.
Is setting a Referrer Policy required for GDPR compliance?
It is not strictly required but strongly recommended, as it supports data minimization and helps prevent accidental data disclosure.
How can I set a Referrer Policy on my website?
You can set it via the Referrer-Policy HTTP header or the <meta name="referrer" content="..."> tag in HTML.
Further readings #
Sources and recommended, further resources on the topic:
- RFC 9110 (HTTP Semantics) - Referer header
- Wikipedia: HTTP Referer
- W3C Referrer Policy Specification (Candidate Recommendation)
- W3C Referrer Policy Specification (Draft)
- GDPR Recital 83
- GDPR Article 5.1.c
- GDPR Article 25
- GDPR Article 32.2
Author
Jonas Jared Jacek (J15k)
Jonas works as project manager, web designer, and web developer since 2001. On top of that, he is a Linux system administrator with a broad interest in things related to programming, architecture, and design. See: https://www.j15k.com/License
Introduction to Referrer Policy by Jonas Jared Jacek is licensed under CC BY-SA 4.0.
This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, for noncommercial purposes only. To give credit, provide a link back to the original source, the author, and the license e.g. like this:
<p xmlns:cc="http://creativecommons.org/ns#" xmlns:dct="http://purl.org/dc/terms/"><a property="dct:title" rel="cc:attributionURL" href="https://www.ditig.com/introduction-to-referrer-policy">Introduction to Referrer Policy</a> by <a rel="cc:attributionURL dct:creator" property="cc:attributionName" href="https://www.j15k.com/">Jonas Jared Jacek</a> is licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" target="_blank" rel="license noopener noreferrer">CC BY-SA 4.0</a>.</p>For more information see the Ditig legal page.
