Low severity

How to fix a missing Referrer-Policy header

Your site is missing a `Referrer-Policy` header. Without it, the browser falls back to `strict-origin-when-cross-origin` on most modern browsers — but older ones leak the full URL, including query strings that may contain session tokens or personal data, to every site you link to. Fix it with `Referrer-Policy: strict-origin-when-cross-origin` or the stricter `no-referrer`.

Why it matters

Password reset links, session tokens, and analytics IDs often live in URL query strings. When a user clicks an outbound link, the browser sends the full current URL as the `Referer` header by default. Attackers who operate or compromise a third-party site get those tokens.

How to check

  1. 01DevTools → Network → Response Headers: look for `referrer-policy`.
  2. 02If missing, the browser default applies — which varies by browser version.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js

Add to headers() config.

{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }

Generic

Send on every response. `strict-origin-when-cross-origin` is a sensible default.

Referrer-Policy: strict-origin-when-cross-origin

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Add `Referrer-Policy: strict-origin-when-cross-origin` to my app. If my site handles session tokens or sensitive data in URLs, use `no-referrer` instead. Apply globally.

FAQ

Frequently asked questions

What is the difference between `no-referrer` and `strict-origin-when-cross-origin`?
`no-referrer` sends nothing. `strict-origin-when-cross-origin` sends the full URL for same-origin navigation, the origin only (no path) for cross-origin HTTPS, and nothing for HTTP downgrades. The second is usually fine.
Will this break analytics?
Analytics tools that track incoming traffic see the origin only, not the full path. For most sites that is enough; for detailed campaign tracking, use UTM parameters instead of relying on Referer.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.