Skip to main content

HTTP Header: Referrer Policy

The attack

The Referrer Policy module can control the behavior of the Referer header by setting the Referrer-Policy header.

The Referer HTTP header is typically set by web browsers to tell a server where it’s coming from. For example, if you click a link on example.com/index.html that takes you to wikipedia.org, Wikipedia’s servers will see Referer: example.com.

This can have privacy implications—websites can see where users are coming from.

The header

The new Referrer-Policy HTTP header lets authors control how browsers set the Referer header.

For example, when supported browsers see this header, they will set no Referer header at all:

Referrer-Policy: no-referrer

There are other directives, too. same-origin, for example, will only send the Referer header for pages on the same origin.

Referrer-Policy: same-origin

You can see the full list of directives on the specification and support in all browsers

The code

const helmet = require('helmet')

// Sets "Referrer-Policy: same-origin".
app.use(helmet.referrerPolicy({ policy: 'same-origin' }))

Refs: