Controls how much information your site shares with other websites when a visitor clicks a link — preventing sensitive page URLs from leaking to third parties.
When someone clicks a link on your site and goes to another website, browsers automatically include a Referer header in the request telling the destination site where the visitor came from. This sounds harmless, but the full URL can contain sensitive information: search terms, user IDs, session tokens, order numbers, or private document paths.
For example, if a user is on https://yourshop.com/orders/12345/invoice and clicks a link to a payment processor, the payment processor receives that full URL — including the order number — in the Referer header. That data could be logged, sold, or exposed in a breach.
Referrer-Policy lets you control exactly how much of this URL gets shared.
When you leave a building through a revolving door, there's a window where people outside can see which floor you came from. Referrer-Policy is the frosted glass on that window — you can choose whether outsiders see the full floor plan, just the building name, or nothing at all.
No header set (browser default: no-referrer-when-downgrade)
Full URL is sent to all HTTPS destinations. So https://yoursite.com/user/profile?token=abc123 gets sent in full to every third-party resource on the page — analytics scripts, ad networks, embedded fonts.
Referrer-Policy: unsafe-url
Sends the full URL everywhere, including to HTTP sites. The word "unsafe" in the name is a warning — avoid this.
Referrer-Policy: strict-origin-when-cross-origin
The modern best-practice default. When linking to other domains: sends only your domain name (e.g. yoursite.com), not the full path. When linking within your own domain: sends the full URL. Never sends anything when going from HTTPS to HTTP.
Referrer-Policy: no-referrer
Sends nothing. Maximally private, but breaks some analytics and affiliate tracking that rely on referrer data.
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Header always set Referrer-Policy "strict-origin-when-cross-origin"
If you can't modify server headers, add this inside your <head> tag on every page:
<meta name="referrer" content="strict-origin-when-cross-origin">
Use Transform Rules → Modify Response Header to add Referrer-Policy with value strict-origin-when-cross-origin.
If you rely on referrer data to track which external sites send traffic (e.g. in Google Analytics), no-referrer will blank those out. Use strict-origin-when-cross-origin instead — it preserves the source domain while hiding sensitive paths.