Referrer-Policy Recommender
Recommend a Referrer-Policy value for your site type and compare how each value behaves.
The Referrer-Policy response header controls how much of the originating URL the browser places in the Referer header when a user follows a link or loads a resource. Send too much and the full URL — including query strings and session tokens — can leak to third parties; send too little and referral analytics or some authentication flows may break.
Pick your site profile (general, privacy-sensitive, or analytics/ad-dependent) and this tool instantly recommends a Referrer-Policy value, then compares the behavior of all eight policy values side by side. For a full audit of your response headers see Security Headers Checker, and for the Content-Security-Policy you usually set alongside it, try the CSP Generator.
strict-origin-when-cross-origin| Response header | Referrer-Policy: strict-origin-when-cross-origin |
|---|---|
| Why | This matches the modern browser default. Full URL to same origin, only the origin cross-origin, and nothing on a downgrade — the best balance of safety and compatibility. |
| Value | Behavior |
|---|---|
| no-referrer | Never sends a Referer under any circumstances |
| no-referrer-when-downgrade | Sends the full URL unless it is a downgrade (HTTPS to HTTP) (legacy default) |
| origin | Always sends only the origin (scheme + host + port) |
| origin-when-cross-origin | Full URL to same origin, only the origin cross-origin |
| same-origin | Full URL to same origin, nothing cross-origin |
| strict-origin | Sends only the origin, and nothing on a downgrade |
| strict-origin-when-cross-origin | Full URL same-origin, origin cross-origin, nothing on a downgrade (current default) |
| unsafe-urlNot recommended | Always sends the full URL, including on a downgrade — risky, not recommended |
Why strict-origin-when-cross-origin is the default
Modern browsers use strict-origin-when-cross-origin when no policy is set. It sends the full URL to the same origin, only the origin to cross-origin destinations, and nothing on an HTTPS to HTTP downgrade. That strikes a balance: analytics tools can still recognize the referring domain, while paths and query strings stay private.
- General site:
strict-origin-when-cross-origin(effectively the default) - Privacy-sensitive:
no-referrerorsame-origin - Analytics / ad-dependent:
strict-origin-when-cross-origin(keeps the origin)
Values to avoid
unsafe-url always sends the full URL, even on a downgrade. Tokens, emails, or search terms in the query string can be handed to third parties verbatim, so it is discouraged in almost every case. no-referrer-when-downgrade is the old permissive default and leaks the full URL cross-origin, so avoid choosing it explicitly.
How to apply it
Setting it as a server response header is the most reliable approach. In nginx use add_header Referrer-Policy "strict-origin-when-cross-origin" always;; as a meta tag use <meta name="referrer" content="strict-origin-when-cross-origin">. When both are present, the header generally takes precedence.