Referrer-Policy

What is Referrer-Policy?

The Referrer-Policy header is an HTTP security and privacy header that controls how much referrer information (the URL of the page that linked to the resource being requested) is included with requests. This header helps balance the need for analytics and debugging with user privacy concerns.

When a user navigates from one page to another, browsers typically send the originating page's URL in the Referer header (note the historical misspelling). The Referrer-Policy header allows website owners to specify what referrer information should be included in these requests.

Header Syntax

The Referrer-Policy header supports several directives:

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Policy Directives Explained

Security and Privacy Considerations

Privacy benefits:

• Prevents leakage of sensitive information in URLs
• Reduces tracking capabilities across different domains
• Enhances user privacy by limiting referrer information

Security implications:

• Can help prevent CSRF attacks by limiting referrer information
• Reduces information leakage that could be exploited in targeted attacks
• Prevents exposure of internal URLs and parameters

Potential drawbacks:

• May break some analytics and tracking systems
• Can affect functionality of third-party services that rely on referrer information
• May impact SEO if search engines rely on referrer data

Best Practices

1. Use strict policies for sensitive applications:

   Referrer-Policy: strict-origin-when-cross-origin
   

2. Avoid unsafe-url as it can leak sensitive information in URLs
3. Consider your analytics needs - stricter policies may impact tracking capabilities
4. Test different policies to ensure they don't break required functionality
5. Combine with other security headers for comprehensive protection:
   • Content Security Policy (CSP)
   • HTTP Strict Transport Security (HSTS)

Example Implementations

HTTP Response Header:

Referrer-Policy: strict-origin-when-cross-origin

Web Server Configuration Examples:

Apache (.htaccess):

Header set Referrer-Policy "strict-origin-when-cross-origin"

Nginx:

add_header Referrer-Policy "strict-origin-when-cross-origin";

Express.js (Node.js):

app.use((req, res, next) => {
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  next();
});

HTML Meta Tag:

<meta name="referrer" content="strict-origin-when-cross-origin">

Common Use Cases

1. E-commerce websites: Protect user privacy while maintaining necessary analytics
2. Healthcare applications: Prevent leakage of sensitive information in URLs
3. Government websites: Enhance citizen privacy and security
4. Banking applications: Reduce information leakage that could aid phishing attacks
5. Social media platforms: Balance analytics needs with user privacy expectations

Browser Support

The Referrer-Policy header is widely supported in modern browsers:

• Chrome 53+
• Firefox 50+
• Safari 11+
• Edge 79+
• Internet Explorer 11 (partial support)

Related Security Concepts

• HTTP Security Headers - Overview of important security headers
• Cross-Site Request Forgery (CSRF) - Attack prevented by proper referrer policies
• Content Security Policy (CSP) - Complementary security header
• Same-Origin Policy (SOP) - Fundamental web security model
• Privacy Enhancing Technologies - Technologies that protect user privacy
• Cross-Origin Resource Sharing (CORS) - Cross-origin resource sharing mechanism
• HTTP/2 - Modern web protocol with enhanced security features