Security Server response header - Referrer-Policy

What is header - Referrer-Policy​

The HTTP Referrer-Policy header report to the browser how much information the browser should process during the web page processing. This technology is used to protect the security and privacy of the user.

Basic directives​

no-referrer - do not send information with requests.​
no-referrer-when-downgrade - information will only be sent during the transition from HTTPS to HTTPS and HTTP to HTTPS. This policy is used by default.​
no-referrer-when-cross-origin - Information will only be sent over the same protocol, from HTTPS to HTTPS and HTTP to HTTP.​
origin - information will be transmitted if the client's request comes from the same origin.​
strict-origin - Sends origin information only to a potentially trusted URL.​
origin-when-cross-origin - if the request sends to another web resource or protocol, then the origin policy will work.​

Using Referrer-Policy in nginx.conf (NGINX):
add_header Referrer-Policy 'no-referrer-when-downgrade';

Using Referrer-Policy in httpd.conf (Apache):
Header set Referrer-Policy "no-referrer-when-downgrade"

Using Referrer-Policy in .htaccess:
<ifModule mod_headers.c>
    Header set Referrer-Policy "no-referrer-when-downgrade"
Last edited: