HomeFix guides → Referrer-Policy (NIS2 technical measure)

nis2

How to fix: Referrer-Policy (NIS2 technical measure)

NIS2 Art. 21(2)(a)

Why this matters

A restrictive Referrer-Policy is a data-minimisation signal — leaking less to third parties aligns with NIS2's risk-management posture.

Background

Referrer-Policy controls what the browser sends as the Referer header to other origins. Default behaviour can leak full URLs (including query strings + paths) to third-party sites — a NIS2 confidentiality concern. strict-origin-when-cross-origin is the modern safe default.

References

NIS2 Art. 21(2)(a) · MDN: Referrer-Policy · RFC 8674

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"
cloudflare
Transform Rules → Modify Response Header.
wordpress
WP Headers Security Advanced plugin handles it.
flask
@app.after_request: resp.headers.setdefault('Referrer-Policy', 'strict-origin-when-cross-origin')
express
helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' })
rails
default headers in config/application.rb.

Verify it's working

curl -sI https://your-site/ | grep -i referrer-policy

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →