Referrer-Policy: Security Header
The Referrer-Policy HTTP header controls how much referrer information should be included with requests. Aside from the HTTP header, you can also set this policy in HTML.
Options
- no-referrer
- no-referrer-when-downgrade
- origin
- origin-when-cross-origin
- same-origin
- strict-origin
- strict-origin-when-cross-origin
- unsafe-url
no-referrer
The header will be omitted and sent requests do not include any referrer information.
no-referrer-when-downgrade
Send the origin, path, and query string when the protocol security level stays the same or improves (HTTP to HTTP, HTTP to HTTPS, HTTPS to HTTPS).
Don't send the header for requests to less secure destinations (HTTPS to HTTP, HTTPS to file).
origin
Send only the origin in the header.
For example, a document at https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin
When performing a same-origin request to the same protocol level (HTTP to HTTP, HTTPS to HTTPS), send the origin, path, and query string.
Send only the origin for cross origin requests and requests to less secure destinations (HTTPS to HTTP).
same-origin
Send the origin, path, and query string for same-origin requests.
Don't send the header for cross-origin requests.
strict-origin
Send only the origin when the protocol security level stays the same (HTTPS to HTTPS).
Don't send the header to less secure destinations (HTTPS to HTTP).
strict-origin-when-cross-origin (default)
Send the origin, path, and query string when performing a same-origin request.
For cross-origin requests, send the origin (only) when the protocol security level stays same (HTTPS to HTTPS).
Don't send the header to less secure destinations (HTTPS to HTTP).
unsafe-url
Send the origin, path, and query string when performing any request, regardless of security.