HomeFix guides → Referrer-Policy

security

How to fix: Referrer-Policy

OWASP A04

Why this matters

Without a Referrer-Policy, every link click leaks the full URL of the page the visitor came from to the destination site — which can include internal URLs, search queries, and document IDs that should stay private.

Background

By default, navigating from one page to another sends the full current URL — query string included — as the Referer header. If your URLs contain session tokens, password-reset codes, or user identifiers, those leak to every third-party resource you embed. strict-origin-when-cross-origin is the sensible default.

References

W3C Referrer Policy · OWASP information-leak guidance

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"
cloudflare
Transform Rules → response header → Referrer-Policy: strict-origin-when-cross-origin.
wordpress
Headers Security Advanced plugin; OR a `<meta name="referrer" content="...">` in <head> (less robust than the header).
flask
Flask-Talisman default.
express
helmet.referrerPolicy({ policy: 'strict-origin-when-cross-origin' })
rails
config.action_dispatch.default_headers.merge!('Referrer-Policy' => 'strict-origin-when-cross-origin')

Verify it's working

curl -sI https://your-site/ | grep -i 'referrer-policy:'

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →