Referrer Policy is a new HTTP header drafted in 2015, implemented last year. This header controls referrer header value browser sends when the user is navigating away from your website pages.
This article continues from the previous, part 1 of the Security related HTTP Headers. First part was introduction and it also described several important (and simpler) headers. You can check it out here: Security related HTTP Headers, Part 1: Introduction.
Referrer Header
Before we go on, it is important to understand what the ‘Referrer’ is. Anytime you go from one website page to another through the click on the link, the browser sends origin URL as a part of the HTTP headers block, under the name ‘referer’. This header is essential when it comes to traffic tracking and analytics because it helps us track the user while browsing the website, getting entry and exit information or calculating bounce rates.
Referrer Policy Header
Now, if you want to control when the referrer header is set in the first place when the user navigates away from your website page, you can use new Referrer Policy header. This header allows various values or combinations of values. Referrer Policy is used even when the user navigates from one to another page of your own website, referrer policy is applied to each page visited.
Basic Terminology
Here are few important terms you need to understand:
- origin: URL from where the user navigates away
- destination: URL where the user navigates to
- protocol: communication protocol of the URL, it can be HTTP or HTTPS
- downgraded protocol: HTTPS URL is the origin, and HTTP URL is the destination
Possible Values
Here is the list of allowed values for the Referrer Policy:
- no-referrer: HTTP header ‘referer’ will not be set.
- no-referrer-when-downgrade: If the user goes from HTTPS URL to HTTP URL, ‘referer’ will not be set.
- same-origin: ‘referer’ will be set only for requests with the same origin (same website and same protocol – HTTPS or HTTP).
- origin: ‘referer’ will be set, but the path of the URL will be removed, and, the domain name part of the URL will be sent.
- strict-origin: this is the same as ‘origin’, but only if the protocol is not downgraded.
- origin-when-cross-origin: full ‘referer’ will be set for same request origin. If that is not the case, only domain name part of the URL is sent.
- strict-origin-when-cross-origin: this is the same as above, but only if the protocol is not downgraded.
- unsafe-url: full ‘referer’ will be sent, regardless of the origin and destination URL.
Allowed combinations
You can set Referer Policy header to one or more of these values, comma separated. But, some combinations are not valid, and basically, used values can be in conflict. So, if you choose to use ‘no-referrer’ or ‘unsafe-url’, these two should be used alone, because they are either ‘referer’ is off, or is on for everything.
Examples for the header
Here are few examples of how to set this header for Nginx and Apache servers.
Example 1
// nginx add_header Referrer-Policy "strict-origin-when-cross-origin" always; // apache Header always set Referrer-Policy "strict-origin-when-cross-origin"
Example 2
// nginx add_header Referrer-Policy "no-referrer-when-downgrade, origin-when-cross-origin" always; // apache Header always set Referrer-Policy "no-referrer-when-downgrade, origin-when-cross-origin"
Browsers Support
All modern browsers support this header, but there are some exceptions:
- MS Internet Explorer doesn’t support this header at all.
- Opera Mini doesn’t support this header at all.
- Safari and iOS Safari support old draft with allowed values: never, always, origin & default.
- MS Edge support old draft with allowed values: never, always, origin & default.
- Chrome before version 60, doesn’t support values: same-origin, strict-origin & strict-origin-when-cross-origin.
Recommendations
On Dev4Press, currently, I am using the Referrer Policy, and it is set to no-referrer-when-downgrade. It is not recommended to use no-referrer or unsafe-url values, and if you use SSL (HTTPS protocol), make sure to set to no-referrer-when-downgrade or one of the strict values. There is no way to give universal recommendations, it all depends on what you need and want to achieve, and you can easily test different values and see how it will behave.