IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. Referrer-Policy

HTTP security header

Referrer-Policy

The Referrer-Policy header governs how much of the originating URL is sent in the Referer header on navigation and resource requests. A restrictive policy prevents leaking sensitive path or query data (tokens, IDs) to third-party sites and analytics.

Example

Referrer-Policy: strict-origin-when-cross-origin

Configuration guidance

  • Use strict-origin-when-cross-origin or no-referrer for sensitive apps.
  • Never place secrets in URLs, regardless of referrer policy.

Related headers

Content-Security-Policy
MDN: Referrer-Policy

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub