Referer and Referrer-Policy best practices

Maud Nalpas

This page outlines some best practices for setting your Referrer-Policy and using the referrer in incoming requests.

Summary

• Unexpected cross-origin information leakage damages web users' privacy. A protective referrer policy can help.
• Consider setting a referrer policy of strict-origin-when-cross-origin. It preserves most of the referrer's usefulness, while mitigating the risk of leaking data cross-origins.
• Don't use referrers for Cross-Site Request Forgery (CSRF) protection. Use CSRF tokens instead, and other headers as an extra layer of security.

Referer and Referrer-Policy 101

HTTP requests can include an optional Referer header, which indicates the origin or web page URL the request was made from. The Referrer-Policy header defines what data is made available in the Referer header.

In the following example, the Referer header includes the complete URL of the page on site-one that the request was made from.

The Referer header might be present in different types of requests:

• Navigation requests, when a user clicks a link.
• Subresource requests, when a browser requests images, iframes, scripts, and other resources that a page needs.

For navigations and iframes, you can also access this data with JavaScript using document.referrer.

You can learn a lot from Referer values. For example, an analytics service might use them to determine that 50% of the visitors on site-two.example came from social-network.example. But when the full URL, including the path and query string, is sent in the Referer across origins, it can endanger user privacy and create security risks:

URLs #1 to #5 contain private information, and sometimes sensitive or identifying information. Leaking these silently across origins can compromise web users' privacy.

URL #6 is a capability URL. If anyone other than the intended user receives this, a malicious actor can take control of this user's account.

To restrict what referrer data is made available for requests from your site, you can set a referrer policy.

What policies are available and how do they differ?

You can select one of eight policies. Depending on the policy, the data available from the Referer header (and document.referrer) can be:

• No data (no Referer header is present)
• Only the origin
• The full URL: origin, path, and query string

Some policies are designed to behave differently depending on the context: cross-origin or same-origin request, whether the request destination is as secure as the origin, or both. This is useful to limit the amount of information shared across origins or to less secure origins, while maintaining the richness of the referrer within your own site.

The following table shows how referrer policies restrict the URL data available from the Referer header and document.referrer:

MDN provides a full list of policies and behavior examples.

Here are some things to be aware of when setting a referrer policy:

• All policies that take the scheme (HTTPS versus HTTP) into account (strict-origin, no-referrer-when-downgrade, and strict-origin-when-cross-origin) treat requests from one HTTP origin to another HTTP origin the same way as requests from an HTTPS origin to another HTTPS origin, even though HTTP is less secure. That's because for these policies, what matters is whether a security downgrade takes place; that is, if the request can expose data from an encrypted origin to an unencrypted one, as in HTTPS → HTTP requests. An HTTP → HTTP request is completely unencrypted, so there's no downgrade.
• If a request is same-origin, this means that the scheme (HTTPS or HTTP) is the same, so there's no security downgrade.

Default referrer policies in browsers

As of October 2021

If no referrer policy is set, the browser uses its default policy.

Best practices for setting referrer policy

There are different ways to set referrer policies for your site:

• As an HTTP header
• Within your HTML
• From JavaScript on a per-request basis

You can set different policies for different pages, requests, or elements.

The HTTP header and the meta element are both page-level. The priority order for determining an element's effective policy is as follows:

1. Element-level policy
2. Page-level policy
3. Browser default

Example:

index.html:

<meta name="referrer" content="strict-origin-when-cross-origin" />
<img src="..." referrerpolicy="no-referrer-when-downgrade" />

The image is requested with a no-referrer-when-downgrade policy, and all other subresource requests from this page follow the strict-origin-when-cross-origin policy.

How to see the referrer policy?

securityheaders.com is handy to determine which policy a specific site or page is using.

You can also use the developer tools in Chrome, Edge, or Firefox to see the referrer policy used for a specific request. At the time of this writing, Safari doesn't show the Referrer-Policy header, but does show the Referer that was sent.

Which policy should you set for your website?

We strongly recommend explicitly setting a privacy-enhancing policy such as strict-origin-when-cross-origin (or stricter).

Why "explicitly"?

If you don't set a referrer policy, the browser's default policy will be used—in fact, websites often defer to the browser's default. But this is not ideal, because:

• Different browsers have different default policies, so if you rely on browser defaults, your site won't behave predictably across browsers.
• Browsers are adopting stricter defaults such as strict-origin-when-cross-origin and mechanisms such as referrer trimming for cross-origin requests. Explicitly opting into a privacy-enhancing policy before browser defaults change gives you control and helps you run tests as you see fit.

Why strict-origin-when-cross-origin (or stricter)?

You need a policy that is secure, privacy-enhancing, and useful. What "useful" means depends on what you want from the referrer:

• Secure: if your website uses HTTPS (if not, make it a priority), you don't want your website's URLs to leak in non-HTTPS requests. Since anyone on the network can see these, leaks would expose your users to person-in-the-middle-attacks. The policies no-referrer-when-downgrade, strict-origin-when-cross-origin, no-referrer, and strict-origin solve this problem.
• Privacy-enhancing: for a cross-origin request, no-referrer-when-downgrade shares the full URL, which can cause privacy issues. strict-origin-when-cross-origin and strict-origin only share the origin, and no-referrer shares nothing at all. This leaves you with strict-origin-when-cross-origin, strict-origin, and no-referrer as privacy-enhancing options.
• Useful: no-referrer and strict-origin never share the full URL, even for same-origin requests. If you need the full URL, strict-origin-when-cross-origin is a better option.

All of this means that strict-origin-when-cross-origin is generally a sensible choice.

Example: Setting a strict-origin-when-cross-origin policy

index.html:

<meta name="referrer" content="strict-origin-when-cross-origin" />

Or server-side, for example in Express:

const helmet = require('helmet');
app.use(helmet.referrerPolicy({policy: 'strict-origin-when-cross-origin'}));

What if strict-origin-when-cross-origin (or stricter) doesn't accommodate all your use cases?

In this case, take a progressive approach: set a protective policy like strict-origin-when-cross-origin for your website and, if you need to, a more permissive policy for specific requests or HTML elements.

Example: element-level policy

index.html:

<head>
  <!-- document-level policy: strict-origin-when-cross-origin -->
  <meta name="referrer" content="strict-origin-when-cross-origin" />
  <head>
    <body>
      <!-- policy on this <a> element: no-referrer-when-downgrade -->
      <a src="…" href="…" referrerpolicy="no-referrer-when-downgrade"></a>
      <body></body>
    </body>
  </head>
</head>

Safari/WebKit might cap document.referrer or the Referer header for cross-site requests. See details.

Example: request-level policy

script.js:

fetch(url, {referrerPolicy: 'no-referrer-when-downgrade'});

What else should you consider?

Your policy should depend on your website and use cases, as determined by you, your team, and your company. If some URLs contain identifying or sensitive data, set a protective policy.

Best practices for incoming requests

Here are some guidelines for what to do if your site uses the referrer URL of incoming requests.

Protect users' data

The Referer can contain private, personal, or identifying data, so make sure you treat it as such.

Incoming referrers can change {referer-can-change}

Using the referrer from incoming cross-origin requests has a few limitations:

• If you have no control over the request emitter's implementation, you can't make assumptions about the Referer header (and document.referrer) you receive. The request emitter might decide to switch to a no-referrer policy at any time , or more generally to a stricter policy than what they used before. This means you receive less data from the Referer than before.
• Browsers increasingly use the Referrer-Policy strict-origin-when-cross-origin by default. This means that you might now receive only the origin, instead of a full referrer URL, in incoming cross-origin requests, if the sender site has no policy set.
• Browsers might change the way they manage Referer. For example, some browser developers might decide to always trim referrers to origins in cross-origin subresource requests, to protect user privacy.
• The Referer header (and document.referrer) might contain more data than you need. For example, it might have a full URL when you only want to know if the request is cross-origin.

Alternatives to Referer

You might need to consider alternatives if:

• An essential feature of your site uses the referrer URL of incoming cross-origin requests.
• Your site is no longer receiving the part of the referrer URL it needs in a cross-origin request. This happens when the request emitter changes their policy or when they have no policy set and the browser default's policy changed (like in Chrome 85).

To define alternatives, first analyze what part of the referrer you're using.

If you only need the origin

• If you're using the referrer in a script that has top-level access to the page, window.location.origin is an alternative.
• If available, headers like Origin and Sec-Fetch-Site give you the Origin or describe whether the request is cross-origin, which might be exactly what you need.

If you need other elements of the URL (path, query parameters…)

• Request parameters might address your use case, which saves you the work of parsing the referrer.
• If you're using the referrer in a script that has top-level access to the page, window.location.pathname might work as an alternative. Extract only the path section of the URL and pass it on as an argument, so any potentially sensitive information in the URL parameters isn't passed on.

If you can't use these alternatives:

• Check whether you can change your systems to expect the request emitter (for example, site-one.example) to explicitly set the information you need in some kind of configuration.
  • Pro: more explicit, more privacy-preserving for site-one.example users, more future-proof.
  • Con: potentially more work from your side or for your system's users.
• Check whether the site that emits the requests might agree to set a per-element or per-request Referrer-Policy of no-referrer-when-downgrade.
  • Con: potentially less privacy-preserving for site-one.example users, potentially not supported in all browsers.

Cross-Site Request Forgery (CSRF) protection

A request emitter can always decide not to send the referrer by setting a no-referrer policy, and a malicious actor could even spoof the referrer.

Use CSRF tokens as your primary protection. For extra protection, use SameSite, and instead of Referer, use headers such as Origin (available on POST and CORS requests) and Sec-Fetch-Site if it's available.

Log and debug

Make sure to protect users' personal or sensitive data that might be in the Referer.

If you're only using the origin, check whether you can use the Origin header as an alternative. This might give you the information that you need for debugging purposes in a simpler way and without needing to parse the referrer.

Payments

Payment providers might rely on the Referer header of incoming requests for security checks.

For example:

• The user clicks a Buy button on online-shop.example/cart/checkout.
• online-shop.example redirects to payment-provider.example to manage the transaction.
• payment-provider.example checks the Referer of this request against a list of allowed Referer values set up by the merchants. If it doesn't match any entry in the list, payment-provider.example rejects the request. If it does match, the user can proceed to the transaction.

Best practices for payment flow security checks

As a payment provider, you can use the Referer as a basic check against some attacks. However, the Referer header by itself isn't a reliable basis for a check. The requesting site, whether they're a legitimate merchant or not, can set a no-referrer policy that makes the Referer information unavailable to the payment provider.

Looking at the Referer might help payment providers catch naive attackers who didn't set a no-referrer policy. If you use the Referer as a first check:

• Don't expect the Referer to always be present. If it's present, check it against only the minimum data it can include, which is the origin.
  • When setting the list of allowed Referer values, make sure to include only the origin and no path.
  • For example, the allowed Referer values for online-shop.example should be online-shop.example, not online-shop.example/cart/checkout. By expecting either no Referer at all or a Referer value that is only the requesting site's origin, you prevent errors that might come from making assumptions about the merchant's Referrer-Policy.
• If the Referer is absent, or if it's present and your basic Referer origin check is successful, you can move onto another, more reliable verification method.

To more reliably verify payments, let the requester hash the request parameters together with a unique key. Payment providers can then calculate the same hash on your side and only accept the request if it matches your calculation.

What happens to the Referer when an HTTP merchant site with no referrer policy redirects to an HTTPS payment provider?

No Referer is visible in the request to the HTTPS payment provider, because most browsers use strict-origin-when-cross-origin or no-referrer-when-downgrade by default when a website has no policy set. Chrome's change to a new default policy won't change this behaviour.

Conclusion

A protective referrer policy is a great way to give your users more privacy.

To learn more about different techniques to protect your users, see our Safe and secure collection

Resources

• Understanding "same-site" and "same-origin"
• A new security header: Referrer Policy (2017)
• Referrer-Policy on MDN
• Referer header: privacy and security concerns on MDN
• Chrome change: Blink intent to implement
• Chrome change: Blink intent to ship
• Chrome change: status entry
• Chrome change: 85 beta blogpost
• Referrer trimming GitHub thread: what different browsers do
• Referrer-Policy Spec

With many thanks for contributions and feedback to all reviewers - especially Kaustubha Govind, David Van Cleve, Mike West, Sam Dutton, Rowan Merewood, Jxck, and Kayce Basques.