Referrer-Policy HTTP header
How the Referrer-Policy header controls what URL information is shared with other sites, the values available, and how to set a sensible default in Apache and PHP.
The Referrer-Policy header controls how much of the current URL a browser includes in the Referer request header when a visitor follows a link or a page loads a resource. It is as much a privacy control as a security one, since a full referrer can leak paths, query strings and tokens to other sites.
(The request header is spelled Referer, a misspelling baked into the web decades ago. The policy header that governs it is spelled correctly as Referrer-Policy.)
Referrer-Policy: strict-origin-when-cross-origin
That value is the sensible modern default, and the one most browsers now apply even when no header is set. It sends the full URL to your own origin, only the origin (the scheme and host, with no path) when moving to another site over HTTPS, and nothing at all when a request downgrades from HTTPS to HTTP.
The main values
no-referrer- never send the header at all.same-origin- send the full URL to your own site, and nothing to others.strict-origin- send only the origin, and nothing on an HTTPS to HTTP downgrade.strict-origin-when-cross-origin- the default described above, and a good choice for most sites.no-referrer-when-downgrade- the old default; sends the full URL except on a downgrade, and weaker on privacy.unsafe-url- always send the full URL. As the name suggests, avoid it.
If your pages carry anything sensitive in their URLs, a stricter policy stops it leaking to third parties through outbound links and embedded resources. It belongs with Content-Security-Policy and the other web application security headers.
How to set Referrer-Policy in Apache
<IfModule mod_headers.c>
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
How to set Referrer-Policy in PHP
header('Referrer-Policy: strict-origin-when-cross-origin');
Setting it on AWS CloudFront
Static sites behind CloudFront have no web server to set the header, so it lives on the distribution. Reach first for a response headers policy, which lets you declare Referrer-Policy alongside your other security headers and have CloudFront add them to every response with no code to maintain. AWS even ships a managed security headers policy that sets a sensible strict-origin-when-cross-origin by default. When you need more than the policy offers, a CloudFront Function on the viewer response can set or vary the header in a few lines of JavaScript, and Lambda@Edge covers the rarer cases that need heavier logic at the edge.