When you navigate the internet, the data you exchange between websites is a critical concern. Enter Referrer-Policy: think of it as your shield during this data exchange. It acts like a protective mechanism, ensuring your privacy remains intact.
In this article, we aim to simplify the understanding of this concept. We’ll explore how it impacts both regular users and website administrators. You’ll learn how various Referrer-Policy settings determine the sharing of information between websites, effectively preventing data leaks and undesired tracking. Whether you’re a typical web user or involved in website development, you’ll come to appreciate how this security feature protects your information, ensuring a secure and private online experience.
Contents
What is Referrer-Policy?
The Referrer-Policy is an HTTP header that websites use to determine how they share information about the source page (referrer URL) when users click on links or visit new pages. It helps decide whether to send the complete referring URL, just the domain, or no referrer data to the destination site, which has implications for user privacy and security.
According to Mozilla, “The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests.”
Understanding the Referrer-Policy header
This HTTP header serves as a security mechanism for regulating the sharing of referral information between different websites when a user is navigating the web. Referral information consists of the URL of the website from which a visitor arrives at the current page, and it is typically included in the HTTP request sent to the server when accessing web resources like images, scripts, or pages.
Website administrators can use the Referrer-Policy header to define guidelines regarding which referral information should or should not be included in HTTP requests. This approach helps safeguard user privacy and addresses potential security risks.
The choice of the appropriate value for the header depends on the specific security and privacy requirements of a particular website, as well as its functional needs. By configuring this header, website administrators can take measures to ensure that referral information is shared securely and responsibly.
Data provided by BuiltWith says that less than 75.000 sites among the top 1 million use this feature.
The importance of the Referrer-Policy header
The Referrer-Policy header governs the sharing of “Referer” header information between different websites. The “Referer” header contains the URL of the originating website that brought the user to the current page. The purpose of the referrer policy is to define the rules controlling how much of this information is passed through this header.
The importance of this header is primarily related to user privacy and online security. Here are some key reasons for its importance:
- User privacy: the referrer policy empowers websites to manage how much information is shared with other websites. Properly setting up this header helps safeguard user privacy by preventing unnecessary exposure of sensitive data, such as browsing history or search queries.
- Security: by restricting the amount of information shared through the “Referer” header, security threats like “header injection” and “CSRF” attacks can be thwarted. Minimizing the disclosure of sensitive information reduces the risk of exploitation by malicious actors.
- Compliance with privacy regulations: in certain cases, like the General Data Protection Regulation (GDPR) in the European Union, websites must adhere to specific privacy regulations. The correct configuration of the Referrer-Policy header is a critical aspect of complying with these requirements.
- Control over browser behavior: the header allows website owners to specify how web browsers should handle referrer information. This affords them control over the sharing of browsing data and interactions with other websites.
It’s essential to achieve a balance when configuring the Referrer-Policy header, as overly strict settings may affect certain functions, such as legitimate referral tracking or traffic analysis. It’s crucial to carefully consider how to configure this header based on a website’s specific needs.
Types of Referrer-Policy
There are various values that can be employed with this header, let’s take a look at them.
- no-referrer: This option implies that no referral information is shared in the requests. It’s the most restrictive choice and provides a high level of user privacy. However, it may lead to functional issues in some situations.
- no-referrer-when-downgrade: In this case, referral information is excluded when transitioning from HTTPS to HTTP, but it is shared in other scenarios. This approach protects sensitive information when using a secure connection (HTTPS) while allowing some referral information to be shared in other cases.
- same-origin: Referral information is only shared when the requested resource is on the same domain as the originating page, striking a balance between privacy and functionality.
- strict-origin: This is similar to “same-origin,” but it applies even when the request is directed to a subdomain of the originating site. While it offers greater control over referral information, it can affect functionality in specific cases.
- origin: Referral information is shared exclusively with the origin domain of the current page, excluding the path. This approach safeguards user privacy while permitting some functionality.
- unsafe-url: Complete referral information, including the full URL, is shared with the target site. This is the least restrictive setting and is generally discouraged due to its privacy implications.
How to check the Referrer-Policy
There are two ways to verify a website’s Referrer-Policy:
- Examine the HTTP header setup: You can check a website’s Referrer-Policy by inspecting the HTTP headers transmitted by the server. Tools commonly used for web development, like Chrome’s DevTools, can be used to check this header.
- Utilize our online tool: You can use our web security scanner to quickly scan your site for free, including the Referrer-Policy header.
Referrer-Policy syntax
The syntax is pretty straightforward, as you can see below:
Referrer-Policy "directive"
Here you simply replace the directive part with your desired directive, as explained a few paragraphs above.
Referrer-Policy examples
Let’s see a few examples of the header being applied and let’s explain what each one does.
- No Referrer-Policy:
Referrer-Policy: no-referrer
With this directive, no referrer data is sent with HTTP requests. This protects user privacy by preventing the exposure of information from the source page, even when clicking on links to other sites.
- No Referrer When Downgrade Policy:
Referrer-Policy: no-referrer-when-downgrade
In this setting, referrer information is sent when navigating from a secure (HTTPS) page to an insecure (HTTP) page. However, no referrer information is sent when navigating from an insecure page to a secure one. This balances privacy and functionality.
- Same-Origin Policy:
Referrer-Policy: same-origin
This directive sends referrer information only when the request is made within the same origin domain. It is not sent when navigating to a different domain. This protects user privacy in cross-origin contexts.
- Origin Policy:
Referrer-Policy: origin
In this configuration, the origin domain is sent in the referrer information, but the path or query is not included. For example, “https://example.com/page1” would be sent as “https://example.com”. This partially protects user privacy.
- Strict-Origin Policy:
Referrer-Policy: strict-origin
Similar to “origin,” this directive sends the origin domain in the referrer information, but it is not sent when the request is made to a different domain. This provides further privacy protection in cross-origin contexts.
- Origin When Cross-Origin Policy:
Referrer-Policy: origin-when-cross-origin
When the request is made within the same origin domain, the referrer information consists of the origin domain. If the request is made to a different domain, only the origin domain is sent in the referrer information. This balances privacy and functionality in cross-origin contexts.
- Unsafe URL Policy:
Referrer-Policy: unsafe-url
This policy sends all referrer information, including the complete URL of the source page. It can expose sensitive information and is rarely used for protecting user privacy.
How to set the Referrer-Policy
Let’s see how to ser this header in some of the most popular web servers.
Enabling Referrer-Policy in Apache
Open your website’s Apache configuration file. Typically, you can find it in /etc/apache2/sites-available/ for Debian-based systems or /etc/httpd/conf.d/ for Red Hat-based systems. You can edit either the main configuration file (e.g., httpd.conf) or the configuration file specific to your site.
Insert the following line within the VirtualHost block of your website or in the main configuration file if you want the setting to apply to all sites:
Header always set Referrer-Policy "directive"
Replace “directive” with your desired policy, like “no-referrer” or “strict-origin-when-cross-origin.” This line configures the Referrer-Policy header for your site.
Save the file, and then restart Apache to apply the changes:
systemctl restart apache2
Setting up the Referrer-Policy in Nginx
Open the Nginx configuration file for your website. Usually, it’s located in /etc/nginx/sites-available/ on Debian-based systems or /etc/nginx/conf.d/ on Red Hat-based systems.
Add the following line within the server block of your website:
add_header Referrer-Policy "directive";
Replace “directive” with the policy you want to set.
Save the file, and then reload the Nginx configuration to apply the changes:
systemctl reload nginx
Summary
The Referrer-Policy header plays a crucial role in safeguarding user privacy and online security. It dictates how websites share information about the source page when users click on links or visit new pages. By regulating the sharing of referral data, website administrators can control the amount of information sent to destination sites, thereby preventing data leaks and unwanted tracking.
Its settings range from the highly restrictive “no-referrer” to the more permissive “unsafe-url.” These settings strike a balance between privacy and functionality.