The Referrer-Policy controls how much information your browser shares with a destination site when clicking a link. By default, browsers include a HTTP request header called “Referrer” to send information to the destination site about where the link was located.
The Referrer header can contain the full URL of the page where the link was clicked, and the Referrer Policy allows you to limit or adjust what gets sent.
For example, you are now on the page “https://really-simple-ssl.com/definition/what-is-referrer-policy/”. If you follow a link on this page to a different destination (e.g., example.com), your browser might send the following Referrer header to the destination.
Referrer: https://really-simple-ssl.com/definition/what-is-referrer-policy/
This way, the destination site knows what page you were visiting before you followed the link to their site. This can be useful for analytics, affiliate attribution and marketing purposes; but also comes with privacy concerns.
Issues
Although sending referrer information has legitimate purposes, there are serious security and privacy issues with this approach. From a privacy point of view, there is often no real need for the destination site to know what page you were visiting before you clicked the link. Depending on your browser settings, you might even send the query string in your browser to the destination server.
This query string could include sensitive details. For example, if you are visiting a page on a site with medical information such as “https://medicalinfo.org/stage1-dementia”, and then click on a hyperlink to a medical insurance site, the insurance company now knows that you were visiting a page about dementia and could refuse service to you.
Although this is a bad security practice, there are websites that include authentication tokens in the url query string. When clicking a link on such a site, the target website could’ve received this authentication token and execute actions on the source site using the token of the affected user.
Up to November 2020, the default setting for browsers (no-referrer-when-downgrade) was to include the complete url in the Referrer header, which includes the full domain name & query string, unless the connection was downgraded from https to http. Because of the privacy and security issues involved, all major browsers changed their default settings to strict-origin-when-cross-origin.
This ensures that the browser only sends the complete referrer information within the same domain/origin, and that only the domain name is sent to ‘cross-origin’ destinations. No referrer information is sent at all, if the connection was downgraded to insecure http.
Options
The Referrer-Policy header has the following options:
- no-referrer -> send no referrer information under any circumstance
- no-referrer-when-downgrade (old default browser setting) -> send complete referrer information unless the connection is downgraded from https to http
- origin -> always send the domain name as referrer
- origin-when-cross-origin -> send complete referrer information within the same website but only the domain name to other websites or when the connection is downgraded from https to http
- same-origin -> send complete referrer information within the same website but no referrer at all to other websites
- strict-origin -> always send the domain name, except when the connection is downgraded from https to http
- strict-origin-when-cross-origin (recommended, current default browser setting) -> send complete referrer information to the same domain and only the domain name to other websites but no referrer at all when the connection is downgraded from https to http
- unsafe-url -> always send complete referrer information regardless of destination and security
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://web.dev/referrer-best-practices
https://scotthelme.co.uk/a-new-security-header-referrer-policy
NOTE: By default, Really Simple Security Pro will set this header to the current default browser setting (strict-origin-when-cross-origin).