SitePrivacyScore
Free lightweight tool, no login required

Free Referrer Policy Checker

Check if a website's Referrer-Policy HTTP header is properly configured. Prevent sensitive URL information from leaking.

Why is Referrer Policy Important for Privacy?

When a user clicks a link on your website that leads to an external domain, the browser automatically sends a Referer request header to the destination server. This header contains the exact URL the user was previously visiting.

If your URLs contain sensitive parameters, like ?token=123 or user IDs, that data is leaked directly into the logs of the third-party website. The Referrer-Policy response header lets you instruct the browser to strip the path and parameters, or omit the referrer entirely, protecting your users' privacy.

Related Tools and Guides

Security Headers Checker, Test All HeadersPII Leak Checker, Scan for Exposed DataRead Guide: Understanding Referrer Policy

Stop data leakage across your whole site

The Referrer Policy is just one way data escapes. Run a full SitePrivacyScore audit to scan for third-party trackers, unconsented cookies, and exposed PII.

Run Full Privacy AuditBrowse All Free Tools

For deeper runtime checks, run the full privacy audit →

Frequently Asked Questions

What is the Referer header?+
The 'Referer' header (historically misspelled with one 'r') is an HTTP header sent by the browser. When a user clicks a link from Site A to Site B, the browser tells Site B: 'The user came from Site A.' This is useful for analytics, but bad for privacy if Site A's URL contains sensitive data.
What does the Referrer-Policy header do?+
The 'Referrer-Policy' HTTP response header is sent by your server. It instructs the browser on exactly how much information it is allowed to include in the Referer header when navigating away from your page or loading external resources like images or scripts.
Why is 'strict-origin-when-cross-origin' recommended?+
This policy is the modern default for most browsers for good reason. It sends the full URL (path and parameters) when navigating within your own site. But when navigating to an external site, it only sends the domain name (e.g., example.com) and strips everything else, protecting sensitive URL parameters.
What happens if my site has no Referrer-Policy?+
If you don't explicitly set a policy, modern browsers (Chrome, Firefox, Safari) will fall back to their default behavior, which is currently 'strict-origin-when-cross-origin'. However, relying on browser defaults is risky, as older browsers may default to 'no-referrer-when-downgrade', which leaks the full URL on HTTPS-to-HTTPS requests.
Can Referrer Policy break my website?+
Generally, no, unless you rely on cross-domain referrers for authentication or specific analytics tracking configurations. In most cases, restrictive policies only break third-party tools that are trying to track your users' exact traversal paths through your application.