What is the difference between `no-referrer` and `strict-origin-when-cross-origin`?

`no-referrer` sends nothing. `strict-origin-when-cross-origin` sends the full URL for same-origin navigation, the origin only (no path) for cross-origin HTTPS, and nothing for HTTP downgrades. The second is usually fine.

Will this break analytics?

Analytics tools that track incoming traffic see the origin only, not the full path. For most sites that is enough; for detailed campaign tracking, use UTM parameters instead of relying on Referer.

Low severity

How to fix a missing Referrer-Policy header

Your site is missing a `Referrer-Policy` header. Without it, the browser falls back to `strict-origin-when-cross-origin` on most modern browsers — but older ones leak the full URL, including query strings that may contain session tokens or personal data, to every site you link to. Fix it with `Referrer-Policy: strict-origin-when-cross-origin` or the stricter `no-referrer`.

Why it matters

Password reset links, session tokens, and analytics IDs often live in URL query strings. When a user clicks an outbound link, the browser sends the full current URL as the `Referer` header by default. Attackers who operate or compromise a third-party site get those tokens.

How to check

01DevTools → Network → Response Headers: look for `referrer-policy`.
02If missing, the browser default applies — which varies by browser version.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Next.js

Add to headers() config.

{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }

Generic

Send on every response. `strict-origin-when-cross-origin` is a sensible default.

Referrer-Policy: strict-origin-when-cross-origin

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

Add `Referrer-Policy: strict-origin-when-cross-origin` to my app. If my site handles session tokens or sensitive data in URLs, use `no-referrer` instead. Apply globally.

FAQ

Frequently asked questions

What is the difference between `no-referrer` and `strict-origin-when-cross-origin`?: `no-referrer` sends nothing. `strict-origin-when-cross-origin` sends the full URL for same-origin navigation, the origin only (no path) for cross-origin HTTPS, and nothing for HTTP downgrades. The second is usually fine.
Will this break analytics?: Analytics tools that track incoming traffic see the origin only, not the full path. For most sites that is enough; for detailed campaign tracking, use UTM parameters instead of relying on Referer.

Related fix guides

Fix these too

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Learn the concepts

Glossary

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Free tools

Check this yourself

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.