What is the Referrer-Policy header?
Referrer-Policy is a security header that controls how much of your page’s address is passed to the next site when a visitor clicks a link or loads an external resource. Around 81% of Australian small business websites send no Referrer-Policy at all*:
- What leaks by default — the full address of the page they were on, which can include search terms, account pages or internal paths you would rather not hand to a third party.
- strict-origin-when-cross-origin — a sensible default: it shares the full path within your own site but only the bare domain when leaving it.
- no-referrer — the strictest option; it sends nothing at all, at the cost of breaking some analytics attribution.
It is privacy hygiene in one line — set strict-origin-when-cross-origin unless you have a reason not to.