privacy
Set a strict Referrer-Policy
MetricSpot checks for a Referrer-Policy header. Without one, every outbound click leaks your full URL — including tokens, PII, and admin paths — to third-party sites.
What this check does
Inspects response headers for a Referrer-Policy directive and verifies the value is one of the safer policies: strict-origin-when-cross-origin (the modern browser default), strict-origin, same-origin, no-referrer, or no-referrer-when-downgrade. The check fails when the header is missing or set to a leaky policy (unsafe-url, origin-when-cross-origin without strict-).
Why it matters
The Referer request header (yes, misspelled in the original RFC and we’re stuck with it) tells every site you click through to which URL you came from. Without a policy, the browser sends the full URL — including path, query string, and fragment.
That’s a privacy hole bigger than most people realize.
- Token leakage. Password reset links, magic-login URLs, OAuth callbacks, and “share with this private link” URLs all carry secrets in the path or query. Every external resource on the page (analytics, fonts, third-party scripts, embedded images, outbound links) receives the full URL as a
Referer. - PII leakage. URLs like
/users/jane-patel@example.com/profileor/checkout?email=…leak personal data to ad networks and analytics tools. - Admin-path discovery. A click from
/admin/users/42to an external image silently advertises the existence of/admin/to every external service. - GDPR exposure. Sending PII to a US-based ad network without consent is a GDPR violation regardless of intent. A strict referrer policy is a cheap mitigation.
Modern browsers (Chrome 85+, Firefox 87+, Safari 14+) ship strict-origin-when-cross-origin as the default, but only when the page returns no policy. Older browsers and edge cases (file:// origins, http→http navigations) still leak unless you set a header explicitly.
How to fix it
Pick one of the safe policies and set it in your response headers:
| Policy | Same-origin | Cross-origin | Cross-origin downgrade (https→http) |
|---|---|---|---|
no-referrer | nothing | nothing | nothing |
same-origin | full URL | nothing | nothing |
strict-origin | origin only | origin only | nothing |
strict-origin-when-cross-origin (recommended) | full URL | origin only | nothing |
strict-origin-when-cross-origin is the modern default: your own internal navigations get full URLs (useful for analytics), external links get only the origin (https://example.com/), and downgrades to HTTP send nothing.
nginx:
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Apache:
Header always set Referrer-Policy "strict-origin-when-cross-origin"Caddy:
header Referrer-Policy "strict-origin-when-cross-origin"Cloudflare — Rules → Transform Rules → Modify Response Header, set globally.
Next.js (next.config.js):
module.exports = {
async headers() {
return [{
source: "/(.*)",
headers: [
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
],
}];
},
};Express with Helmet:
import helmet from "helmet";
app.use(helmet.referrerPolicy({ policy: "strict-origin-when-cross-origin" }));Per-link override. If a specific link needs different referrer behavior, use the referrerpolicy attribute on <a> or <img>:
<a href="https://partner.example.com/" referrerpolicy="no-referrer">Partner</a>Audit yourself:
curl -sI https://yourdomain.com/ | grep -i referrer-policyExpect a single line with your chosen policy. If grep returns nothing, the header is missing.
Frequently asked questions
Will this break my analytics?
No, as long as your analytics is same-origin (running on your domain) or self-hosted. Cross-origin analytics tools that rely on full referrer URLs (some attribution tools) may see less data with strict-origin-when-cross-origin, but they still get the origin — usually enough to attribute the visit.
Should I use no-referrer to be safest?
no-referrer is the safest but breaks many legitimate flows: payment gateways often check the referrer to confirm a checkout originated from a real merchant site; OAuth providers sometimes log the referrer for fraud detection; analytics breaks. strict-origin-when-cross-origin is the right default.
Does this affect SEO?
No. Search engines don’t read referrer policy. The header only affects outbound clicks and resource loads. SEO-wise it’s neutral; privacy-wise it’s a meaningful upgrade.
Sources
Last updated 2026-05-11