How to add Referrer-Policy header
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
Referrer-Policy is an HTTP response header that controls how much referrer information (the URL of the page that linked to the current page) is sent in requests. Options range from no-referrer (send nothing) to unsafe-url (send full URL).
Why it matters
Default browser behavior can send the full URL as referrer, leaking query parameters and path information to third parties. Tightening Referrer-Policy (e.g. strict-origin-when-cross-origin or no-referrer-when-downgrade) reduces leakage and improves privacy.
How to fix it
- 1
Choose a policy
Use strict-origin-when-cross-origin for a good balance: full URL for same-origin, origin only for cross-origin HTTPS, and no referrer when downgrading to HTTP. Use no-referrer if you want to send nothing.
- 2
Add the header
Send Referrer-Policy on every response. Set it in your web server config (Nginx, Apache) or application middleware.
- 3
Verify
Run Barrion's referrer policy check or inspect response headers in dev tools to confirm the header is present.
Examples by platform
Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"Check your site
Run Barrion's free security headers check to see if this finding applies to your app and get a full report.
Run free check →
