Referrer Policy is a new HTTP header drafted in 2015, implemented last year. This header controls referrer header value browser sends when the user is navigating away from your website pages.

This article continues from the previous, part 1 of the Security related HTTP Headers. First part was introduction and it also described several important (and simpler) headers. You can check it out here: Security related HTTP Headers, Part 1: Introduction.

Referrer Header

Before we go on, it is important to understand what the ‘Referrer’ is. Anytime you go from one website page to another through the click on the link, the browser sends origin URL as a part of the HTTP headers block, under the name ‘referer’. This header is essential when it comes to traffic tracking and analytics because it helps us track the user while browsing the website, getting entry and exit information or calculating bounce rates.

Referrer Policy Header

Now, if you want to control when the referrer header is set in the first place when the user navigates away from your website page, you can use new Referrer Policy header. This header allows various values or combinations of values. Referrer Policy is used even when the user navigates from one to another page of your own website, referrer policy is applied to each page visited.

Basic Terminology

Here are few important terms you need to understand:

  • origin: URL from where the user navigates away
  • destination: URL where the user navigates to
  • protocol: communication protocol of the URL, it can be HTTP or HTTPS
  • downgraded protocol: HTTPS URL is the origin, and HTTP URL is the destination

Possible Values

Here is the list of allowed values for the Referrer Policy:

  • no-referrer: HTTP header ‘referer’ will not be set.
  • no-referrer-when-downgrade: If the user goes from HTTPS URL to HTTP URL, ‘referer’ will not be set.
  • same-origin: ‘referer’ will be set only for requests with the same origin (same website and same protocol – HTTPS or HTTP).
  • origin: ‘referer’ will be set, but the path of the URL will be removed, and, the domain name part of the URL will be sent.
  • strict-origin: this is the same as ‘origin’, but only if the protocol is not downgraded.
  • origin-when-cross-origin: full ‘referer’ will be set for same request origin. If that is not the case, only domain name part of the URL is sent.
  • strict-origin-when-cross-origin: this is the same as above, but only if the protocol is not downgraded.
  • unsafe-url: full ‘referer’ will be sent, regardless of the origin and destination URL.

Allowed combinations

You can set Referer Policy header to one or more of these values, comma separated. But, some combinations are not valid, and basically, used values can be in conflict. So, if you choose to use ‘no-referrer’ or ‘unsafe-url’, these two should be used alone, because they are either ‘referer’ is off, or is on for everything.

Examples for the header

Here are few examples of how to set this header for Nginx and Apache servers.

Example 1
// nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

// apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Example 2
// nginx
add_header Referrer-Policy "no-referrer-when-downgrade, origin-when-cross-origin" always;

// apache
Header always set Referrer-Policy "no-referrer-when-downgrade, origin-when-cross-origin"

Browsers Support

All modern browsers support this header, but there are some exceptions:

  • MS Internet Explorer doesn’t support this header at all.
  • Opera Mini doesn’t support this header at all.
  • Safari and iOS Safari support old draft with allowed values: never, always, origin & default.
  • MS Edge support old draft with allowed values: never, always, origin & default.
  • Chrome before version 60, doesn’t support values: same-origin, strict-originstrict-origin-when-cross-origin.

Recommendations

On Dev4Press, currently, I am using the Referrer Policy, and it is set to no-referrer-when-downgrade. It is not recommended to use no-referrer or unsafe-url values, and if you use SSL (HTTPS protocol), make sure to set to no-referrer-when-downgrade or one of the strict values. There is no way to give universal recommendations, it all depends on what you need and want to achieve, and you can easily test different values and see how it will behave.

All these security headers (with the exception of problematic Public-Key-Pins) can be easily configured and applied using Dev4Press own plugin GD Security Toolbox Pro without the need for any custom coding.
Please wait...

SiteGround

Great managed hosting experience, fast and secure with amazing support.
Siteground Hosting

PHP 7.0 and 7.1, free Let's Encrypt SSL certificates, cache and optimizations for WordPress. Choose between great shared WordPress hosting plans (starting from 3.95 €/month), high performance cloud hosting (starting from 64.00 €/month)...

Disclosure: This post contains affiliate links, which means that I receive compensation if you make a purchase using this link.

About the author

MillaN
MillaN
Dev4Press owner and lead developer

Programmer since the age of 12 and now WordPress developer with more than 8 years of WordPress experience, author of more than 100 plugins and more than 20 themes.

Learn More

GD Security Toolbox Pro
A collection of many security related tools for .htaccess hardening with security events log, ReCaptcha, firewall, and tweaks collection, login and registration control and more.
GD Security Toolbox Pro Logo

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *