Referrer-Policy: Security Header

The Referrer-Policy HTTP header controls how much referrer information should be included with requests. Aside from the HTTP header, you can also set this policy in HTML.

Options

  1. no-referrer
  2. no-referrer-when-downgrade
  3. origin
  4. origin-when-cross-origin
  5. same-origin
  6. strict-origin
  7. strict-origin-when-cross-origin
  8. unsafe-url

no-referrer

The header will be omitted and sent requests do not include any referrer information.

no-referrer-when-downgrade

Send the origin, path, and query string when the protocol security level stays the same or improves (HTTP to HTTP, HTTP to HTTPS, HTTPS to HTTPS).

Don't send the header for requests to less secure destinations (HTTPS to HTTP, HTTPS to file).

origin

Send only the origin in the header.

For example, a document at https://example.com/page.html will send the referrer https://example.com/.

origin-when-cross-origin

When performing a same-origin request to the same protocol level (HTTP to HTTP, HTTPS to HTTPS), send the origin, path, and query string.

Send only the origin for cross origin requests and requests to less secure destinations (HTTPS to HTTP).

same-origin

Send the origin, path, and query string for same-origin requests.

Don't send the header for cross-origin requests.

strict-origin

Send only the origin when the protocol security level stays the same (HTTPS to HTTPS).

Don't send the header to less secure destinations (HTTPS to HTTP).

strict-origin-when-cross-origin (default)

Send the origin, path, and query string when performing a same-origin request.

For cross-origin requests, send the origin (only) when the protocol security level stays same (HTTPS to HTTPS).

Don't send the header to less secure destinations (HTTPS to HTTP).

unsafe-url

Send the origin, path, and query string when performing any request, regardless of security.