What it is
Browsers include a referrer header whenever they follow links, load images, or fetch external resources. Without a restrictive Referrer-Policy, that header can expose the full URL path, query parameters, tokens, and internal route names to other sites. Legacy defaults such as no-referrer-when-downgrade still ship in some browsers, so applications must explicitly define a safer policy.
Why it matters
Referrer leakage reveals how your application is structured and which parameters carry sensitive context. Attackers and third parties can use the data to:
- Map internal URLs, admin panels, and APIs
- Harvest tokens in login, reset, or checkout flows
- Combine data leaks with CSRF, phishing, or session hijacking campaigns
How to reduce risk
- Set a strict policy like
no-referrerorstrict-origin-when-cross-originso only minimal origin data is shared. - Avoid permissive settings that transmit full URLs to other origins, especially downgrades from HTTPS to HTTP.
- Review redirects, analytics tags, embedded widgets, and marketing pixels to ensure they do not require full referrer values.
- Validate the effective policy using browser dev tools or external scanners to confirm what information is sent.
Related Terms
- Front-End Security Headers
- Content Security Policy (CSP)
- Cross-Site Request Forgery (CSRF)
- Credential Leakage