Referrer-Policy Values Reference

All Referrer-Policy values with URL exposure behavior and downgrade semantics.

Reference for every Referrer-Policy header and meta value with the exact referrer string sent per navigation scenario, including HTTPS-to-HTTP downgrade behaviour. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the default Referrer-Policy?

Modern browsers default to strict-origin-when-cross-origin. It sends the full URL on same-origin requests, only the origin on cross-origin requests, and nothing when navigating from HTTPS to HTTP. This balances usefulness with privacy.

Controlling what the Referer header leaks

The Referrer-Policy header (and the equivalent <meta name="referrer"> tag and per-element referrerpolicy attribute) decides how much of the current URL is placed in the Referer request header when the browser follows a link or loads a subresource. This reference lists all eight values and shows the exact referrer sent in each navigation scenario.

How it works

For every outgoing request the browser computes a referrer string from the current document’s URL, trimmed according to the active policy. The key distinctions are: full URL versus origin-only, whether cross-origin requests are treated differently, and whether an HTTPS-to-HTTP downgrade suppresses the referrer:

Referrer-Policy: strict-origin-when-cross-origin

For example, on a page at https://shop.example/cart?id=9, a same-origin request sends the full URL, a cross-origin HTTPS request sends only https://shop.example/, and an HTTPS-to-HTTP request sends nothing.

All eight values at a glance

PolicySame-originCross-origin HTTPSHTTPS → HTTP
no-referrerNoneNoneNone
no-referrer-when-downgradeFull URLFull URLNone
originOrigin onlyOrigin onlyOrigin only
origin-when-cross-originFull URLOrigin onlyOrigin only
same-originFull URLNoneNone
strict-originOrigin onlyOrigin onlyNone
strict-origin-when-cross-originFull URLOrigin onlyNone
unsafe-urlFull URLFull URLFull URL

“Origin only” means the scheme, host, and port — for example https://shop.example/ — with no path or query string. “Full URL” includes the complete path and query.

Why this matters for privacy and analytics

URLs often carry sensitive information embedded in the path or query string: session identifiers, search terms, internal resource IDs, authentication tokens passed as parameters, and user-specific state. When a user follows a link from your page to a third-party site, that site’s server logs every Referer header you allow through.

Under unsafe-url, a visitor to https://clinic.example/patients/chart?id=4821 clicking a link to a CDN or analytics provider would expose the patient ID to that third party in plain text. Under strict-origin-when-cross-origin, only https://clinic.example/ is shared — the path and query stay private.

Similarly, no-referrer-when-downgrade — which was the browser default before strict-origin-when-cross-origin took over — still leaks full URLs to all HTTPS destinations, including every ad network, social widget, and analytics script embedded on the page.

Practical guidance

For most websites: Use strict-origin-when-cross-origin. It is the modern browser default, and for good reason: analytics tools still receive the origin, so campaign tracking works, but paths and queries are kept private from third parties.

For sensitive pages (healthcare, finance, legal): Consider same-origin or no-referrer. These prevent third-party trackers from learning anything about which internal page a user was on when they clicked.

For outbound affiliate or partner links where the destination needs the referrer: Use origin-when-cross-origin — they see your site, but not the specific page.

Per-element override: You can override the page-level policy on individual links with <a href="..." referrerpolicy="no-referrer"> — useful when one link needs tighter control than the rest.

Setting the header

# HTTP response header
Referrer-Policy: strict-origin-when-cross-origin

# HTML meta tag (equivalent)
<meta name="referrer" content="strict-origin-when-cross-origin">

The header takes precedence over the meta tag. For best coverage, set both.

Tips and notes

  • strict-origin-when-cross-origin is the safe modern default — prefer it.
  • Use no-referrer for maximum privacy when you never need the Referer downstream.
  • Avoid unsafe-url; it leaks full path and query to third parties.
  • Set per-link policy with <a referrerpolicy="..."> for fine control.
  • Origin-only values still leak which site the user came from, just not the path.