Skip to main content

Referrer-Policy Header

Issue No: 139

Category: HTTP Security Headers

Issue Type: Suggestion

Priority: Standard


Description

Pages should declare a Referrer-Policy HTTP response header (or an equivalent <meta name="referrer"> tag) to control what referrer information is sent when users navigate to linked external sites, preventing unintentional leakage of sensitive URL parameters.


How Do We Capture It

Where to Find

HTTP response header:

Referrer-Policy: strict-origin-when-cross-origin

Or as a meta tag in HTML <head>:

<meta name="referrer" content="strict-origin-when-cross-origin">

Extraction Flow

  1. Issue an HTTP GET to the target URL.
  2. Read the raw HTTP response headers.
  3. Extract the Referrer-Policy header value (header name is case-insensitive).
  4. Parse the raw HTML response bytes.
  5. Scan the <head> block for <meta name="referrer"> tags.
  6. Extract the content attribute value from any matched meta tag.
  7. Determine the effective policy: the HTTP header takes precedence over the meta tag when both are present.
  8. Check whether the effective policy value matches a known valid directive (see list below).
  9. Set referrer_policy_is_unsafe = TRUE if the effective policy value is unsafe-url.

Valid directive values: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url.

Validation Logic

The crawler validates:

  • Whether the Referrer-Policy HTTP response header is present.
  • Whether a <meta name="referrer"> tag exists in the HTML head.
  • Whether the effective policy value is a recognized valid directive.
  • Whether the effective policy is unsafe-url.

How to Get It

Crawler should:

  1. Read HTTP response headers; extract Referrer-Policy header value.
  2. Parse raw HTML <head>; find <meta name="referrer" content="...">.
  3. Set effective policy: header value if present, otherwise meta tag value.
  4. Validate effective policy against the known directive list.
  5. Set has_any_referrer_policy = TRUE if either source declares a policy.
  6. Set referrer_policy_is_unsafe = TRUE if effective policy equals unsafe-url.

What to Store

FieldTypeComment
has_referrer_policy_headerBOOLEANWhether the Referrer-Policy HTTP response header is present
referrer_policy_header_valueTEXTValue of the Referrer-Policy HTTP response header (NULL if absent)
has_referrer_policy_metaBOOLEANWhether a meta name="referrer" tag exists in the HTML head
referrer_policy_meta_valueTEXTValue of the meta referrer tag content attribute (NULL if absent)
has_any_referrer_policyBOOLEANWhether a referrer policy is declared via either HTTP header or meta tag
effective_referrer_policyTEXTThe active referrer policy value; HTTP header takes precedence over meta tag (NULL if neither exists)
referrer_policy_is_valid_directiveBOOLEANWhether the effective policy value is a recognized valid directive
referrer_policy_is_unsafeBOOLEANWhether the effective policy is unsafe-url, which sends the full URL to all cross-origin destinations

Condition for Trigger

The following trigger rules evaluate referrer policy declaration and safety.

  • Trigger Rule 1: No Referrer Policy Declared

    • Target Field: has_any_referrer_policy
    • Evaluation Logic: = FALSE
    • Severity: SUGGESTION
    • Diagnostic Message: "No Referrer-Policy header or meta tag was found. Without an explicit policy, browsers may send the full URL including path and query string as the referrer header to cross-origin destinations. Declare a Referrer-Policy header to control what referrer information is shared."
  • Trigger Rule 2: Unsafe Referrer Policy Declared

    • Target Field: referrer_policy_is_unsafe
    • Evaluation Logic: = TRUE
    • Severity: SUGGESTION
    • Diagnostic Message: "The effective referrer policy is unsafe-url, which sends the full URL including path and query parameters to all destinations regardless of protocol or origin. This may leak sensitive query string data such as tokens or session identifiers to external sites. Replace with a more restrictive directive such as strict-origin-when-cross-origin."

Sources


Long Description

The Referrer-Policy HTTP header controls what value is included in the Referer request header when a browser follows a link, submits a form, or loads a subresource. Without an explicit policy, the browser applies a default — which in modern browsers (Chrome 85+, Firefox 87+) is strict-origin-when-cross-origin, but in older browsers was no-referrer-when-downgrade, which sends the full URL for same-protocol navigations.

The difference matters for pages whose URLs contain sensitive query parameters (e.g., /reset-password?token=abc123, /checkout?promo=SECRET50). If a user clicks an external link from such a page without a strict referrer policy, the target site receives that full URL in its server logs and analytics.

Directive behavior reference:

DirectiveSame-originCross-origin HTTPS→HTTPSDowngrade HTTPS→HTTP
no-referrerNothingNothingNothing
same-originFull URLNothingNothing
strict-originOrigin onlyOrigin onlyNothing
strict-origin-when-cross-originFull URLOrigin onlyNothing
no-referrer-when-downgradeFull URLFull URLNothing
unsafe-urlFull URLFull URLFull URL

Common failure scenarios:

1. No Policy Declared — Relying on Browser Default

Different browsers and browser versions apply different defaults. An explicit policy is always preferred to guarantee consistent behavior across user agents.

2. unsafe-url Policy Set

Setting Referrer-Policy: unsafe-url sends the full URL including query string to every site the user navigates to, including cross-origin destinations. This is the most permissive and least safe directive.

3. Policy Set Only via Meta Tag

While the meta tag is valid, it is parsed as part of the HTML document. HTTP response headers are processed by the browser before HTML parsing begins. For early-fetched subresources (e.g., preloaded assets), the meta tag may not yet be applied. The HTTP header is the preferred mechanism.

4. Invalid Directive Value

If the Referrer-Policy header contains a typo or an unrecognized value, browsers silently ignore it and fall back to the browser default, making the policy declaration ineffective.


How to Fix

Set the Referrer-Policy HTTP response header in your server or CDN configuration:

Referrer-Policy: strict-origin-when-cross-origin

Alternatively, declare it in the HTML <head> as a meta tag:

<meta name="referrer" content="strict-origin-when-cross-origin">

The HTTP header is preferred. Choose the most restrictive policy that does not break analytics, affiliate tracking, or partner integrations. For most sites, strict-origin-when-cross-origin provides the right balance between analytics compatibility and privacy protection.