Referrer-Policy controls how much of your URL is sent in the Referer header when users click
out or load cross-origin resources — which can leak paths, tokens in query strings, and internal
URLs.
Recommended value
Referrer-Policy: strict-origin-when-cross-origin
This sends the full URL to same-origin requests, only the origin (scheme + host) cross-origin, and nothing when downgrading HTTPS→HTTP. It’s also the modern browser default — setting it explicitly keeps behaviour consistent across browsers.
Stricter options: same-origin (no referrer cross-origin at all) or no-referrer (never send
one).
Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Caddy
header Referrer-Policy "strict-origin-when-cross-origin"
_headers
/*
Referrer-Policy: strict-origin-when-cross-origin
Verify
curl -sI https://yourdomain.com | grep -i referrer-policy
If your URLs carry secrets (reset tokens, session IDs in the path/query — which they shouldn’t),
use no-referrer until you’ve moved them out of the URL. Leaked referrers are a common, quiet way
those tokens reach third-party analytics and ad scripts.