What is the difference between `no-referrer` and `strict-origin-when-cross-origin`?

`no-referrer` sends nothing. `strict-origin-when-cross-origin` sends the full URL for same-origin navigation, the origin only (no path) for cross-origin HTTPS, and nothing for HTTP downgrades. The second is usually fine.

Will this break analytics?

Analytics tools that track incoming traffic see the origin only, not the full path. For most sites that is enough; for detailed campaign tracking, use UTM parameters instead of relying on Referer.

Low severity · Next.js

Missing Referrer-Policy on Next.js

Your site is missing a `Referrer-Policy` header. Without it, the browser falls back to `strict-origin-when-cross-origin` on most modern browsers — but older ones leak the full URL, including query strings that may contain session tokens or personal data, to every site you link to. Fix it with `Referrer-Policy: strict-origin-when-cross-origin` or the stricter `no-referrer`.

The fix for Next.js

Next.js

Add to headers() config.

{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }

Why it matters

Password reset links, session tokens, and analytics IDs often live in URL query strings. When a user clicks an outbound link, the browser sends the full current URL as the `Referer` header by default. Attackers who operate or compromise a third-party site get those tokens.

Confirm the fix worked

Scan your Next.js site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

Add `Referrer-Policy: strict-origin-when-cross-origin` to my app. If my site handles session tokens or sensitive data in URLs, use `no-referrer` instead. Apply globally.

FAQ

Frequently asked questions

What is the difference between `no-referrer` and `strict-origin-when-cross-origin`?: `no-referrer` sends nothing. `strict-origin-when-cross-origin` sends the full URL for same-origin navigation, the origin only (no path) for cross-origin HTTPS, and nothing for HTTP downgrades. The second is usually fine.
Will this break analytics?: Analytics tools that track incoming traffic see the origin only, not the full path. For most sites that is enough; for detailed campaign tracking, use UTM parameters instead of relying on Referer.

Related fix guides

Fix these too

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Concepts

Glossary

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Free tools

Spot-check this

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.