missing-referrer-policy
Referrer-Policy not set
Without a Referrer-Policy, your visitor's browser may quietly leak the full URL of every page on your site to every third party you link to or load resources from. The fix is one line.
What this means in plain English
Whenever your visitor’s browser loads anything on a page — an image, a script, a font, a link they click — it tells the destination where the request came from. That information is called the referrer. By default, browsers attach the page’s URL (or part of it) to every outgoing request.
Without a Referrer-Policy instruction, browsers fall back to a reasonable but not strict default. On older browsers and in some older user agents, the default is even more permissive: send the full URL, including any query string or path that may be sensitive.
Why it matters to your business
Most pages on a website have URLs that are perfectly fine to leak
— /about, /products, /contact. The problem is the small number
of URLs that aren’t:
- Password-reset links and magic-login links contain a one-time token in the URL.
- Authenticated dashboards may have URLs that reveal the structure of your admin area.
- Shareable links to private documents often encode access in the URL itself.
If any of those pages loads a third-party script, font, or image, the third party’s logs may end up containing a working reset token, a private document URL, or sensitive search terms. This has been a real issue at major SaaS vendors (HubSpot, Atlassian, others) within the last few years.
A Referrer-Policy is a one-line backstop that prevents most of this leakage with no functional impact on your site.
How to fix it
Whoever runs your web server adds a single instruction. The standard recommended choice:
Referrer-Policy: strict-origin-when-cross-origin
This sends the full URL only on requests within your own site, just the bare domain (no path) on cross-site requests over HTTPS, and nothing at all if a downgrade to plain HTTP would be involved. It matches modern browser defaults and is what OWASP recommends.
Stricter alternatives if you don’t need referrer information:
same-origin— sends a referrer only to your own site, never to third parties.no-referrer— never sends a referrer. Breaks some affiliate tracking and analytics that depend on referrer information; safe for sites with no marketing tooling that needs it.
Common server snippets:
nginx:
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache:
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Caddy:
header Referrer-Policy "strict-origin-when-cross-origin"
A separate-but-related fix: don’t put tokens in URLs
A Referrer-Policy is a useful safety net, but the better long-term fix is to not put tokens in URLs in the first place. If you have flows that send a one-time token in a URL (password reset, magic-link login, share-by-link), the receiving page should remove the token from the URL as soon as it loads — that way it never ends up in browser history, bookmarks, or referrer headers in the first place. Whoever wrote that part of your application can do this in a few lines.