Overview
When you click a link, the browser typically sends the URL of the current page to the new site in the Referer header. This can sometimes leak sensitive information, such as session IDs or private user data contained in the URL.
Common Directives
- no-referrer: No referrer information is sent.
- same-origin: Referrer information is only sent for requests to the same site.
- strict-origin-when-cross-origin: Sends the full URL for same-origin requests, but only the domain (origin) for cross-origin requests, and nothing for insecure (HTTP) requests.
Privacy Benefit
Using a restrictive Referrer-Policy helps protect user privacy and prevents the accidental disclosure of sensitive internal URLs to third-party sites.