Referrer-Policy header

Baseline Widely available *

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨January 2020⁩.

* Some parts of this feature may have varying levels of support.

The HTTPReferrer-Policyresponse header controls how muchreferrer information (sent with theReferer header) should be included with requests.Aside from the HTTP header, you canset this policy in HTML.

Header type	Response header

Syntax

http

Referrer-Policy: no-referrerReferrer-Policy: no-referrer-when-downgradeReferrer-Policy: originReferrer-Policy: origin-when-cross-originReferrer-Policy: same-originReferrer-Policy: strict-originReferrer-Policy: strict-origin-when-cross-originReferrer-Policy: unsafe-url

Note:The header nameReferer is a misspelling of the word "referrer". TheReferrer-Policy header does not share this misspelling.

Directives

no-referrer: TheReferer header will be omitted: sent requests do not include any referrer information.
no-referrer-when-downgrade: Send theorigin, path, and query string inReferer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send theReferer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
origin: Send only theorigin in theReferer header.For example, a document athttps://example.com/page.html will send the referrerhttps://example.com/.
origin-when-cross-origin: When performing asame-origin request, send theorigin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).
same-origin: Send theorigin, path, and query string forsame-origin requests. Don't send theReferer header for cross-origin requests.
strict-origin: Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send theReferer header to less secure destinations (HTTPS→HTTP).
strict-origin-when-cross-origin (default): Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send theReferer header to less secure destinations (HTTPS→HTTP).
Note:This is the default policy if no policy is specified, or if the provided value is invalid (see spec revisionNovember 2020). Previously the default wasno-referrer-when-downgrade.
unsafe-url: Send the origin, path, and query string when performing any request, regardless of security.
Warning:This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

Integration with HTML

You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a<meta> element with aname ofreferrer:

html

<meta name="referrer" content="origin" />

You can specify thereferrerpolicy attribute on<a>,<area>,<img>,<iframe>,<script>, or<link> elements to set referrer policies for individual requests:

html

<a href="http://example.com" referrerpolicy="origin">…</a>

Alternatively, you can set anoreferrerlink relation on ana,area, orlink elements:

html

<a href="http://example.com" rel="noreferrer">…</a>

Warning:As seen above, thenoreferrer link relation is written without a dash. When you specify the referrer policy for the entire document with a<meta> element, it should be writtenwith a dash:<meta name="referrer" content="no-referrer">.

Integration with CSS

CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:

External CSS stylesheets use the default policy (strict-origin-when-cross-origin), unless it's overwritten by aReferrer-Policy HTTP header on the CSS stylesheet's response.
For<style> elements orstyle attributes, the owner document's referrer policy is used.

Examples

`no-referrer`

From document	Navigation to	Referrer used
`https://example.com/page`	anywhere	(no referrer)

`no-referrer-when-downgrade`

From document	Navigation to	Referrer used
`https://example.com/page`	`https://example.com/otherpage`	`https://example.com/page`
`https://example.com/page`	`https://mozilla.org`	`https://example.com/page`
`https://example.com/page`	http://example.com	(no referrer)
http://example.com/page	anywhere	`http://example.com/page`

`origin`

From document	Navigation to	Referrer used
`https://example.com/page`	anywhere	`https://example.com/`

`origin-when-cross-origin`

From document	Navigation to	Referrer used
`https://example.com/page`	`https://example.com/otherpage`	`https://example.com/page`
`https://example.com/page`	`https://mozilla.org`	`https://example.com/`
`https://example.com/page`	http://example.com/page	`https://example.com/`

`same-origin`

From document	Navigation to	Referrer used
`https://example.com/page`	`https://example.com/otherpage`	`https://example.com/page`
`https://example.com/page`	`https://mozilla.org`	(no referrer)

`strict-origin`

From document	Navigation to	Referrer used
`https://example.com/page`	`https://mozilla.org`	`https://example.com/`
`https://example.com/page`	http://example.com	(no referrer)
http://example.com/page	anywhere	`http://example.com/`

`strict-origin-when-cross-origin`

From document	Navigation to	Referrer used
`https://example.com/page`	`https://example.com/otherpage`	`https://example.com/page`
`https://example.com/page`	`https://mozilla.org`	`https://example.com/`
`https://example.com/page`	http://example.com	(no referrer)

`unsafe-url`

From document	Navigation to	Referrer used
`https://example.com/page?q=123`	anywhere	`https://example.com/page?q=123`

Specify a fallback policy

If you want to specify a fallback policy in case the desired policy hasn't got wide enough browser support, use a comma-separated list with the desired policy specified last:

http

Referrer-Policy: no-referrer, strict-origin-when-cross-origin

In the above scenario,no-referrer is used only if the browser does not support thestrict-origin-when-cross-origin policy.

Note:Specifying multiple values is only supported in theReferrer-Policy HTTP header, and not in thereferrerpolicy attribute.

Browser-specific preferences/settings

Firefox preferences

You can configure thedefault referrer policy in Firefox preferences. The preference names are version specific:

Firefox version 59 and later:network.http.referer.defaultPolicy (andnetwork.http.referer.defaultPolicy.pbmode for private networks)
Firefox versions 53 to 58:network.http.referer.userControlPolicy

All of these settings take the same set of values:0 = no-referrer,1 = same-origin,2 = strict-origin-when-cross-origin,3 = no-referrer-when-downgrade.

Specifications

Specification
Referrer Policy # referrer-policy-header

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on⁨Dec 3, 2025⁩ byMDN contributors.

View this page on GitHub •Report a problem with this content

Movatterモバイル変換

Referrer-Policy header

Syntax

Directives

Integration with HTML

Integration with CSS

Examples

`no-referrer`

`no-referrer-when-downgrade`

`origin`

`origin-when-cross-origin`

`same-origin`

`strict-origin`

`strict-origin-when-cross-origin`

`unsafe-url`

Specify a fallback policy

Browser-specific preferences/settings

Firefox preferences

Specifications

Browser compatibility

See also

Help improve MDN