Referrer-Policy

Referrer-Policy

Referrer-Policy Definition

Referrer-Policy refers to an HTTP header that controls how much information a website shares about the user's browsing activity when navigating to another page. The referrer header reveals the URL of the previous web page that the user visited, enabling the receiving website to see where the request originated from.

How Referrer-Policy Works

When a user clicks on a link to navigate to a new page, the referrer header is automatically passed along with the request. This can potentially expose sensitive information, such as the URL of the previous page, to the owner of the new page.

The Referrer-Policy header allows website administrators to specify if the referrer information should be included, excluded, or modified when the user navigates to a different web page. This helps in controlling the amount of information shared with external websites and can mitigate potential privacy and security risks.

Prevention Tips

• Configure the web server to set the Referrer-Policy HTTP header to control the amount of referrer information shared.
• Choose a strict policy to limit the amount of referrer data shared with external sites, reducing the risk of privacy breaches.
• Regularly review and update the Referrer-Policy settings based on best practices and security recommendations.

Referer Header

The referrer header, also known as the Referer header, is an HTTP header field that contains the URL of the previous web page from which a link was followed. It is automatically included in the request when a user navigates from one page to another. The referral information provided by the referrer header helps website owners understand the source of traffic to their site, analyze user behavior, and track the effectiveness of marketing campaigns.

However, the referrer header has raised concerns related to privacy and security. By default, the referrer header exposes the full URL of the previous page, including any query parameters and sensitive information. This can lead to unintended disclosure of personal or confidential data to website owners or third-party services.

Controlling Referrer Information with Referrer-Policy

To address the privacy and security risks associated with the referrer header, the Referrer-Policy header was introduced. The Referrer-Policy header allows website administrators to control the amount of referrer information shared when a user navigates to a different web page.

By setting the Referrer-Policy header, website owners can specify whether the referrer information should be included, excluded, or modified. Here are some common Referrer-Policy directives:

• no-referrer: The referrer header is completely excluded from the request. This means that no referrer information is shared with the receiving website. This is the strictest policy and provides the highest level of privacy. However, it may limit some legitimate functionality, such as analytics and click tracking.

• no-referrer-when-downgrade: This is the default policy if no Referrer-Policy header is specified. It sends the full referrer information when navigating to a secure (HTTPS) website but excludes the referrer when navigating to a less secure (HTTP) website. This helps to protect the referrer information when moving from a secure to a non-secure site.

• origin: Only the origin part of the referrer URL is sent. The origin consists of the scheme, domain, and port, but excludes any path or query parameters. This provides some information about the source of the request without exposing the full URL.

• origin-when-cross-origin: Similar to the origin policy, except that the full referrer URL is sent when the request is made within the same origin (same domain). This helps with analytics and tracking within a website while still protecting the referrer information when navigating to other domains.

• strict-origin: Only the origin part of the referrer URL is sent, regardless of whether it is a same-origin or cross-origin request. This policy provides the most privacy by excluding the path and query parameters.

• strict-origin-when-cross-origin: Similar to the strict-origin policy, except that the full referrer URL is sent when the request is made within the same origin (same domain). This policy strikes a balance between privacy and functionali