securityheaders.fyi
Referrer

Referrer-Policy

Build a config with this header →

Referrer-Policy decides how much of the current URL is sent in the Referer header when users navigate or fetch resources. Leaky values can expose paths, query strings, or tokens to third parties. strict-origin-when-cross-origin (the modern browser default) sends the full URL to same-origin destinations but only the origin cross-origin, and nothing when downgrading HTTPS→HTTP. no-referrer is the most private. MDN

Example

Referrer-Policy: strict-origin-when-cross-origin

Options

OptionTypeDefaultNotes
value select (no-referrer / same-origin / strict-origin / strict-origin-when-cross-origin / origin / origin-when-cross-origin / no-referrer-when-downgrade / unsafe-url) strict-origin-when-cross-origin

Scoring

Contributes up to 8 points to your grade .

Full specification on MDN ↗