The Referrer-Policy header was created to control information sent by browsers to destination servers when clicking on hyperlinks. The http standard includes a http request header called “referrer” that is used by your browser to send information to a site you are visiting after clicking a hyperlink to that site. This referrer can contain the complete url of the page that the link was on. Example: You are now on the page “https://really-simple-ssl.com/definition/what-is-referrer-policy/”. If you click on a link like https://complianz.io your browser could send the following information “referrer: https://really-simple-ssl.com/definition/what-is-referrer-policy/” to the complainz.io server. This way Complianz knows what server and page you were on when you clicked the hyperlink to Complianz. This can be useful for analytics, affiliate fees and marketing purposes.
Issues
Although sending referrer information has legitimate purposes there are serious security and privacy issues with this approach. From a privacy point of view, in most cases there is no real need for the site you are visiting to know what page you were on when you clicked the hyperlink. Depending on settings your browser might even send the query string in your browser to the destination server. This query string could include sensitive details. For example: If you are visiting a page on a site with medical information such as “https://medicalinfo4you.org/stage1-dementia” and click on a hyperlink to a medical insurance site, the insurance company now knows you were visiting a page about dementia and could refuse service to you.
Although this is bad security practice there are numerous websites that include authentication tokens in the url query string. When clicking a link on such a site, the target website could receive the authentication token and execute actions on the the source site using the token of the visiting user.
Up to November 2020 the default setting for browsers (no-referrer-when-downgrade) was to send the complete url, meaning the full domain name + query string unless the connection was downgraded from https to http. Because of the privacy and security issues mentioned above the browsers changed the default settings to strict-origin-when-cross-origin, only sending complete referrer information to the same domain and only the domain name to other websites but no referrer at all when the connection is downgraded from https to http.
Options
The Referrer-Policy header has the following options:
- no-referrer -> send no referrer information under any circumstance
- no-referrer-when-downgrade (old default browser setting) -> send complete referrer information unless the connection is downgraded from https to http
- origin -> always send the domain name as referrer
- origin-when-cross-origin -> send complete referrer information within the same website but only the domain name to other websites or when the connection is downgraded from https to http
- same-origin -> send complete referrer information within the same website but no referrer at all to other websites
- strict-origin -> always send the domain name, except when the connection is downgraded from https to http
- strict-origin-when-cross-origin (current default browser setting) -> send complete referrer information to the same domain and only the domain name to other websites but no referrer at all when the connection is downgraded from https to http
- unsafe-url -> always send complete referrer information regardless of destination and security
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://web.dev/referrer-best-practices
https://scotthelme.co.uk/a-new-security-header-referrer-policy
NOTE: By default, Really Simple SSL Pro will set this header to the current default browser setting of strict-origin-when-cross-origin
