Referrer Policy Explained: Prevent URL Data Leaks

Quick Summary

The Referer header tells external sites which URL a user was viewing on your site.
URLs often contain sensitive data: password reset tokens, email addresses, session IDs.
Referrer-Policy controls how much of this data the browser shares.
Recommended setting: strict-origin-when-cross-origin.

Introduction

Every time a user clicks a link or your page loads a third-party resource, the browser silently sends a Referer header to the destination. This header contains the URL of the page the user was viewing, including the full path and any query parameters.

This seemingly innocent behavior creates a massive privacy risk. URLs frequently contain sensitive information like password reset tokens, email addresses, search queries, and session identifiers. Without a proper Referrer-Policy, this data is silently transmitted to every third-party service your page loads, from Google Fonts to analytics scripts to ad networks.

This guide explains how the Referrer-Policy header works, why it is critical for privacy and GDPR compliance, and exactly how to configure it correctly on any web server.

What Is the Referer Header?

The Silent Data Carrier

When a user navigates from your site to another, or when your page loads a third-party resource (script, font, image, stylesheet), the browser sends a Referer header containing the URL of the originating page.

This means every third-party script, image, and font request reveals exactly which page the user was viewing, including the full URL path and query string. If your URL contains /reset?token=abc123, that token is sent to every external resource loaded on the page.

Visualizing the Leak

The Referrer-Policy HTTP header controls how much of this URL data the browser includes. By setting the right policy, you can strip sensitive query parameters while still allowing basic navigation to work correctly. You can review the exact specification in the W3C Referrer Policy document.

Why It Matters: The Privacy Risk

Common URL Leak Vectors

URLs frequently contain sensitive information that should never leave your domain:

URL Pattern	Data Leaked	Risk Level
/reset?token=abc123	Password reset token	Critical
/dashboard?user=john@example.com	Email address (PII)	High
/search?q=medical+condition	Sensitive search query	High
/checkout?session=xyz789	Session identifier	Critical
/admin?api_key=sk-live-xxx	API key / secret	Critical

Legal and Compliance Implications

GDPR Violation

If your site loads a third-party script (like Google Fonts) and the Referer header leaks PII to that external company, that constitutes a data transfer to a third party without consent, a direct GDPR violation. European courts have ruled specifically on this issue.

The risk compounds with third-party requests. The average marketing website makes 30–80 external requests per page load. Each one receives the full Referer header unless you configure a policy to restrict it.

Real-World Examples

Referrer data leaks have caused significant real-world incidents:

Healthcare portals: Patient dashboard URLs containing diagnosis codes were leaked to analytics providers via the Referer header, resulting in HIPAA violations and GDPR complaints.
Password reset exploits: Reset tokens in URLs were captured by third-party CDN providers. Attackers with access to CDN logs could hijack accounts.
German court ruling (2022): A German court found that loading Google Fonts from Google's servers (which transmits the user's IP and Referer to Google) violated GDPR, awarding €100 in damages per affected user.
Financial services: Investment portfolio pages with account IDs in URLs were leaked to social media tracking pixels.

The Google Fonts Case

This landmark case established that even loading a publicly available font from an external domain constitutes a data transfer under GDPR if it involves sending the user's IP address and referrer URL to Google servers.

Check if your site is leaking URL data to third parties.

Run Referrer Policy Check

How to Detect the Issue

Run an automated scan: Use the Referrer Policy Checker to instantly see your current setting and whether it is adequate.
Check response headers manually: Open browser DevTools → Network tab → click any request → look for the Referrer-Policy response header.
Inspect outbound requests: In DevTools, filter by third-party domains and check their request headers for the Referer field. If it contains a full URL path with query parameters, your policy is too permissive.
Audit URLs for PII: Use the PII Leak Checker to scan your pages for exposed personal data in URLs.

Referrer Policy Values

Value	Behavior	Use Case
no-referrer	Never send any referrer data	Maximum privacy, breaks affiliate tracking
same-origin	Full URL for same-origin, nothing cross-origin	Internal-only analytics
strict-origin-when-cross-origin	Full URL same-origin; domain only cross-origin (HTTPS→HTTPS); nothing on downgrade	Recommended default
origin	Always send domain only, strip path	Basic privacy protection
origin-when-cross-origin	Full URL same-origin; domain only cross-origin	Balanced approach
unsafe-url	Always send full URL everywhere	Never use, leaks everything

How to Fix It

The Golden Standard

Recommended Header

Referrer-Policy: strict-origin-when-cross-origin

This provides the best balance:

Same-origin: Full URL sent (internal navigation works normally)
Cross-origin HTTPS→HTTPS: Only the domain is sent (strips sensitive paths)
HTTPS→HTTP downgrade: Nothing is sent (prevents interception)

Server Configuration

Add it to your web server or CDN configuration. Here are examples for common setups:

Nginx

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache (.htaccess)

Header always set Referrer-Policy "strict-origin-when-cross-origin"

Next.js (next.config.js)

headers: async () => [{
  source: "/(.*)",
  headers: [{
    key: "Referrer-Policy",
    value: "strict-origin-when-cross-origin"
  }]
}]

Best Practices

Always set Referrer-Policy explicitly, do not rely on browser defaults, as they can vary across versions and may change.
Use POST for sensitive forms, GET requests put data in the URL, which the Referer header then leaks. POST requests keep data in the request body.
Avoid putting PII in URLs, replace email-based URLs with opaque UUIDs. See the PII Data Exposure guide for details.
Self-host fonts and libraries, this eliminates referrer leaks to third-party domains entirely.
Combine with a strong CSP, a Content Security Policy restricts which domains can be contacted in the first place.
Set the policy at the server level, not per-link, the rel="noreferrer" attribute only works for individual links and is easy to forget.

Common Mistakes

Setting unsafe-url: This sends the full URL (including path and query parameters) to every external request. Never use this value.
Relying on rel="noreferrer" alone: This only works for links you manually tag. It does nothing for third-party scripts, fonts, or images that load automatically.
Forgetting about meta-tag conflicts: If both an HTTP header and a <meta name="referrer"> tag are present, the most restrictive one wins. This can cause unexpected behavior.
Not auditing after changes: Hosting migrations and CDN updates can reset or override your Referrer-Policy. Always verify with a Referrer Policy Checker.
Ignoring API endpoints: REST API responses also send Referer headers. If your API URLs contain tokens or user IDs, they are equally vulnerable.

Conclusion

The Referrer-Policy header is a simple, one-line change that prevents an entire category of data leaks. Without it, every third-party resource your page loads receives the full URL the user was viewing, including any tokens, email addresses, or sensitive query parameters.

Set strict-origin-when-cross-origin as your default and combine it with URL hygiene practices to eliminate this risk entirely.

Scan Your Website

Scan your website with SitePrivacyScore to detect referrer policy issues automatically. Our free scanner checks your Referrer-Policy header and identifies potential URL data leaks.

Frequently Asked Questions

Can I set Referrer Policy using a meta tag?+

Yes. Use <meta name="referrer" content="strict-origin-when-cross-origin"> in your document head. However, HTTP headers are preferred for consistent coverage across all resources.

Why do affiliate links break with strict policies?+

Some affiliate networks need the Referer header to attribute traffic. Using strict-origin-when-cross-origin sends the domain (enough for attribution) while stripping sensitive query parameters.

What is the default Referrer Policy in modern browsers?+

Most modern browsers default to strict-origin-when-cross-origin. However, you should still set the header explicitly to ensure consistent behavior across all browser versions.

Does Referrer Policy affect analytics?+

It can. If you use no-referrer, analytics platforms won't see which page referred the user. strict-origin-when-cross-origin is the best balance.

Can Referrer Policy prevent all PII leaks?+

No. It only controls the Referer header. PII can also leak through form data, URL paths, page titles, and tracker payloads. Combine it with a PII audit for full protection.

Does Referrer-Policy work on all browsers?+

Yes. All modern browsers (Chrome, Firefox, Safari, Edge) fully support Referrer-Policy. Older IE versions ignore it but default to less strict behavior anyway.

Identify URL Data Leaks

A loose Referrer-Policy can quietly leak passwords, tokens, and PII to third-party ad networks. Run an audit to catch these vulnerabilities.

Run Full Privacy Audit Browse All Free Tools

For deeper runtime checks, run the full privacy audit →