Controlling what the Referer header leaks
The Referrer-Policy header (and the equivalent <meta name="referrer"> tag
and per-element referrerpolicy attribute) decides how much of the current
URL is placed in the Referer request header when the browser follows a link
or loads a subresource. This reference lists all eight values and shows the
exact referrer sent in each navigation scenario.
How it works
For every outgoing request the browser computes a referrer string from the current document’s URL, trimmed according to the active policy. The key distinctions are: full URL versus origin-only, whether cross-origin requests are treated differently, and whether an HTTPS-to-HTTP downgrade suppresses the referrer:
Referrer-Policy: strict-origin-when-cross-origin
For example, on a page at https://shop.example/cart?id=9, a same-origin
request sends the full URL, a cross-origin HTTPS request sends only
https://shop.example/, and an HTTPS-to-HTTP request sends nothing.
All eight values at a glance
| Policy | Same-origin | Cross-origin HTTPS | HTTPS → HTTP |
|---|---|---|---|
no-referrer | None | None | None |
no-referrer-when-downgrade | Full URL | Full URL | None |
origin | Origin only | Origin only | Origin only |
origin-when-cross-origin | Full URL | Origin only | Origin only |
same-origin | Full URL | None | None |
strict-origin | Origin only | Origin only | None |
strict-origin-when-cross-origin | Full URL | Origin only | None |
unsafe-url | Full URL | Full URL | Full URL |
“Origin only” means the scheme, host, and port — for example https://shop.example/ — with no path or query string. “Full URL” includes the complete path and query.
Why this matters for privacy and analytics
URLs often carry sensitive information embedded in the path or query string:
session identifiers, search terms, internal resource IDs, authentication tokens
passed as parameters, and user-specific state. When a user follows a link from
your page to a third-party site, that site’s server logs every Referer header
you allow through.
Under unsafe-url, a visitor to https://clinic.example/patients/chart?id=4821
clicking a link to a CDN or analytics provider would expose the patient ID to
that third party in plain text. Under strict-origin-when-cross-origin, only
https://clinic.example/ is shared — the path and query stay private.
Similarly, no-referrer-when-downgrade — which was the browser default before
strict-origin-when-cross-origin took over — still leaks full URLs to all
HTTPS destinations, including every ad network, social widget, and analytics
script embedded on the page.
Practical guidance
For most websites: Use strict-origin-when-cross-origin. It is the modern
browser default, and for good reason: analytics tools still receive the origin,
so campaign tracking works, but paths and queries are kept private from
third parties.
For sensitive pages (healthcare, finance, legal): Consider same-origin
or no-referrer. These prevent third-party trackers from learning anything
about which internal page a user was on when they clicked.
For outbound affiliate or partner links where the destination needs the
referrer: Use origin-when-cross-origin — they see your site, but not the
specific page.
Per-element override: You can override the page-level policy on individual
links with <a href="..." referrerpolicy="no-referrer"> — useful when one link
needs tighter control than the rest.
Setting the header
# HTTP response header
Referrer-Policy: strict-origin-when-cross-origin
# HTML meta tag (equivalent)
<meta name="referrer" content="strict-origin-when-cross-origin">
The header takes precedence over the meta tag. For best coverage, set both.
Tips and notes
strict-origin-when-cross-originis the safe modern default — prefer it.- Use
no-referrerfor maximum privacy when you never need the Referer downstream. - Avoid
unsafe-url; it leaks full path and query to third parties. - Set per-link policy with
<a referrerpolicy="...">for fine control. - Origin-only values still leak which site the user came from, just not the path.