HTTP security header
Referrer-Policy
The Referrer-Policy header governs how much of the originating URL is sent in the Referer header on navigation and resource requests. A restrictive policy prevents leaking sensitive path or query data (tokens, IDs) to third-party sites and analytics.
Example
Referrer-Policy: strict-origin-when-cross-originConfiguration guidance
- Use strict-origin-when-cross-origin or no-referrer for sensitive apps.
- Never place secrets in URLs, regardless of referrer policy.
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app