Insecure Referrer Policy
Description
The Referrer-Policy HTTP header controls what information is included in the Referer header when users navigate away from your site or when your pages load external resources. When this policy is not configured or is set to permissive values like 'unsafe-url' or 'no-referrer-when-downgrade', the full URL (including path and query parameters) may be sent to third-party sites, potentially exposing sensitive information such as session tokens, user IDs, or other confidential data embedded in URLs.
Remediation
Configure the Referrer-Policy header to use a secure value that limits information disclosure while maintaining necessary functionality. The recommended approach is to set the policy to 'strict-origin-when-cross-origin', which sends the full URL for same-origin requests but only the origin (protocol, domain, and port) for cross-origin requests.
Implementation examples:
HTTP Header:
Referrer-Policy: strict-origin-when-cross-origin
HTML Meta Tag:
<meta name="referrer" content="strict-origin-when-cross-origin">
Apache (.htaccess):
Header set Referrer-Policy "strict-origin-when-cross-origin"
Nginx:
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
For applications handling highly sensitive data, consider using 'same-origin' (only send referrer to same-origin destinations) or 'no-referrer' (never send referrer information). Avoid using 'unsafe-url' or 'no-referrer-when-downgrade' in production environments.