Referrer-Policy Header
Issue No: 139
Category: HTTP Security Headers
Issue Type: Suggestion
Priority: Standard
Description
Pages should declare a Referrer-Policy HTTP response header (or an equivalent <meta name="referrer"> tag) to control what referrer information is sent when users navigate to linked external sites, preventing unintentional leakage of sensitive URL parameters.
How Do We Capture It
Where to Find
HTTP response header:
Referrer-Policy: strict-origin-when-cross-origin
Or as a meta tag in HTML <head>:
<meta name="referrer" content="strict-origin-when-cross-origin">
Extraction Flow
- Issue an HTTP GET to the target URL.
- Read the raw HTTP response headers.
- Extract the
Referrer-Policyheader value (header name is case-insensitive). - Parse the raw HTML response bytes.
- Scan the
<head>block for<meta name="referrer">tags. - Extract the
contentattribute value from any matched meta tag. - Determine the effective policy: the HTTP header takes precedence over the meta tag when both are present.
- Check whether the effective policy value matches a known valid directive (see list below).
- Set
referrer_policy_is_unsafe = TRUEif the effective policy value isunsafe-url.
Valid directive values: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url.
Validation Logic
The crawler validates:
- Whether the
Referrer-PolicyHTTP response header is present. - Whether a
<meta name="referrer">tag exists in the HTML head. - Whether the effective policy value is a recognized valid directive.
- Whether the effective policy is
unsafe-url.
How to Get It
Crawler should:
- Read HTTP response headers; extract
Referrer-Policyheader value. - Parse raw HTML
<head>; find<meta name="referrer" content="...">. - Set effective policy: header value if present, otherwise meta tag value.
- Validate effective policy against the known directive list.
- Set
has_any_referrer_policy = TRUEif either source declares a policy. - Set
referrer_policy_is_unsafe = TRUEif effective policy equalsunsafe-url.
What to Store
| Field | Type | Comment |
|---|---|---|
has_referrer_policy_header | BOOLEAN | Whether the Referrer-Policy HTTP response header is present |
referrer_policy_header_value | TEXT | Value of the Referrer-Policy HTTP response header (NULL if absent) |
has_referrer_policy_meta | BOOLEAN | Whether a meta name="referrer" tag exists in the HTML head |
referrer_policy_meta_value | TEXT | Value of the meta referrer tag content attribute (NULL if absent) |
has_any_referrer_policy | BOOLEAN | Whether a referrer policy is declared via either HTTP header or meta tag |
effective_referrer_policy | TEXT | The active referrer policy value; HTTP header takes precedence over meta tag (NULL if neither exists) |
referrer_policy_is_valid_directive | BOOLEAN | Whether the effective policy value is a recognized valid directive |
referrer_policy_is_unsafe | BOOLEAN | Whether the effective policy is unsafe-url, which sends the full URL to all cross-origin destinations |
Condition for Trigger
The following trigger rules evaluate referrer policy declaration and safety.
-
Trigger Rule 1: No Referrer Policy Declared
- Target Field:
has_any_referrer_policy - Evaluation Logic:
= FALSE - Severity: SUGGESTION
- Diagnostic Message: "No Referrer-Policy header or meta tag was found. Without an explicit policy, browsers may send the full URL including path and query string as the referrer header to cross-origin destinations. Declare a Referrer-Policy header to control what referrer information is shared."
- Target Field:
-
Trigger Rule 2: Unsafe Referrer Policy Declared
- Target Field:
referrer_policy_is_unsafe - Evaluation Logic:
= TRUE - Severity: SUGGESTION
- Diagnostic Message: "The effective referrer policy is unsafe-url, which sends the full URL including path and query parameters to all destinations regardless of protocol or origin. This may leak sensitive query string data such as tokens or session identifiers to external sites. Replace with a more restrictive directive such as strict-origin-when-cross-origin."
- Target Field:
Sources
- MDN — Referrer-Policy
- MDN — meta name=referrer
- OWASP Secure Headers Project — Referrer-Policy
- W3C — Referrer Policy specification
- Google Search Central — Security headers
Long Description
The Referrer-Policy HTTP header controls what value is included in the Referer request header when a browser follows a link, submits a form, or loads a subresource. Without an explicit policy, the browser applies a default — which in modern browsers (Chrome 85+, Firefox 87+) is strict-origin-when-cross-origin, but in older browsers was no-referrer-when-downgrade, which sends the full URL for same-protocol navigations.
The difference matters for pages whose URLs contain sensitive query parameters (e.g., /reset-password?token=abc123, /checkout?promo=SECRET50). If a user clicks an external link from such a page without a strict referrer policy, the target site receives that full URL in its server logs and analytics.
Directive behavior reference:
| Directive | Same-origin | Cross-origin HTTPS→HTTPS | Downgrade HTTPS→HTTP |
|---|---|---|---|
no-referrer | Nothing | Nothing | Nothing |
same-origin | Full URL | Nothing | Nothing |
strict-origin | Origin only | Origin only | Nothing |
strict-origin-when-cross-origin | Full URL | Origin only | Nothing |
no-referrer-when-downgrade | Full URL | Full URL | Nothing |
unsafe-url | Full URL | Full URL | Full URL |
Common failure scenarios:
1. No Policy Declared — Relying on Browser Default
Different browsers and browser versions apply different defaults. An explicit policy is always preferred to guarantee consistent behavior across user agents.
2. unsafe-url Policy Set
Setting Referrer-Policy: unsafe-url sends the full URL including query string to every site the user navigates to, including cross-origin destinations. This is the most permissive and least safe directive.
3. Policy Set Only via Meta Tag
While the meta tag is valid, it is parsed as part of the HTML document. HTTP response headers are processed by the browser before HTML parsing begins. For early-fetched subresources (e.g., preloaded assets), the meta tag may not yet be applied. The HTTP header is the preferred mechanism.
4. Invalid Directive Value
If the Referrer-Policy header contains a typo or an unrecognized value, browsers silently ignore it and fall back to the browser default, making the policy declaration ineffective.
How to Fix
Set the Referrer-Policy HTTP response header in your server or CDN configuration:
Referrer-Policy: strict-origin-when-cross-origin
Alternatively, declare it in the HTML <head> as a meta tag:
<meta name="referrer" content="strict-origin-when-cross-origin">
The HTTP header is preferred. Choose the most restrictive policy that does not break analytics, affiliate tracking, or partner integrations. For most sites, strict-origin-when-cross-origin provides the right balance between analytics compatibility and privacy protection.