HTTP security headers

Referrer-Policy

How Referrer-Policy limits the URL data leaked when visitors click away, and how WebGuard flags a missing policy.

Last updated June 9, 2026

What it is

Referrer-Policy is a response header that controls how much of the current URL is sent in the `Referer` header when a visitor follows a link or loads a resource on another site.

Why it matters

Full referrer URLs can leak internal paths, session tokens, or identifiers to third parties such as analytics and ad networks. A balanced policy keeps the origin for cross-site requests while withholding the full path, reducing accidental disclosure without breaking legitimate referrer use.

How WebGuard checks it

WebGuard reads your response headers and reports whether a Referrer-Policy is present. It is a read-only observation of headers your server already sends.

A sensible starting configuration:

Referrer-Policy: strict-origin-when-cross-origin

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.