Prevent outsiders from tracking your visitor's every move
Referrer Policy
Preliminaries
Establish a policy for the browser to follow when assembling 'referer' request headers, limiting what's revealed when requesting resources cross-domain or under protocol switching scenarios.
The browser sends a referer request header for each request made from one page to another. This is useful for tracking how a visitor moves through your website. It is also a possible target for abuse.
The referrer-policy allows you to control whether to send this header or not. It can also be used to instruct the browser to include the origin (protocol + hostname + port), but not the full document path, of the requestor.
The three simplist cases are:
no-referrerinstructs the browser to omit therefererheader completely.origininstructs the browser to send the requestor's origin only (protocol + hostname + port).unsafe-urlinstructs the browser to send the requestor's complete origin, resource path, and all query-string variables.
The referrer-policy also covers two additional use cases. First, going from one domain to a different domain, for example, a document at helloworld.tld/homepage.html requesting a font from fonts.google.com.
Second, switching from one protocol to another, for example, a document at https://helloworld.tld/hompage.html requesting an image at http://cdn.helloworld.tld/logo.png.
When going from one domain to a different domain
same-origininstructs the browser to omit therefererheader completely (case 1 above).origin-when-cross-origininstructs the browser to limit therefererheader to just the origin (case 2 above).
When switching from https: to http: these policies will instruct the browser to omit the referer header completely (case 1 above).
no-referrer-when-downgradestrict-originstrict-origin-when-cross-origin
When switching from http: to https:
strict-origininstructs the browser to limit therefererheader to just the origin (case 2 above).
Configuration
The referrer-policy is configured with a single line item placed within the policy section. It may take any of these values:
| no-referrer |
| no-referrer-when-downgrade |
| same-origin |
| origin |
| strict-origin |
| origin-when-cross-origin |
| strict-origin-when-cross-origin |
| unsafe-url |
To be effective, the policies module must be turned on.
EBNF
| SP | ::= | U+20 |
| CR | ::= | U+0D |
| LEFT-CURLY-BRACKET | ::= | U+7B |
| RIGHT-CURLY-BRACKET | ::= | U+7D |
| policy-value | ::= | 'no-referrer' | 'no-referrer-when-downgrade' | 'same-origin' | 'origin' | 'strict-origin' | 'origin-when-cross-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url' |
| referrer-policy | ::= | 'referrer-policy' SP policy-value CR |
| policy-configs | ::= | referrer-policy | content-security-policy† | feature-policy† | network-error-logging† | report-to† |
| policies-section | ::= | 'policies' SP LEFT-CURLY-BRACKET CR policy-configs* RIGHT-CURLY-BRACKET CR |
† These are defined in separate notes
Cookbook
Example 1: origin
server {
modules {
policies on
}
policies {
referrer-policy origin
}
}
This configuration will result in a referrer-policy response header of:
referrer-policy: origin
Example 2: no-referrer
server {
modules {
policies on
}
policies {
referrer-policy no-referrer
}
}
This configuration will result in a referrer-policy response header of:
referrer-policy: no-referrer
Review
Key points to remember:
- The policies module must be on to enable the referrer-policy.
- The referrer-policy response header is sent only with HTML documents.
