Prevent outsiders from tracking your visitor's every move
Referrer Policy
Preliminaries
Establish a policy for the browser to follow when assembling 'referer' request headers, limiting what's revealed when requesting resources cross-domain or under protocol switching scenarios.
The browser sends a referer request header for each request made from one page to another. This is useful for tracking how a visitor moves through your website. It is also a possible target for abuse.
The referrer-policy allows you to control whether to send this header or not. It can also be used to instruct the browser to include the origin (protocol + hostname + port), but not the full document path, of the requestor.
The three simplist cases are:
no-referrer
instructs the browser to omit thereferer
header completely.origin
instructs the browser to send the requestor's origin only (protocol + hostname + port).unsafe-url
instructs the browser to send the requestor's complete origin, resource path, and all query-string variables.
The referrer-policy also covers two additional use cases. First, going from one domain to a different domain, for example, a document at helloworld.tld/homepage.html
requesting a font from fonts.google.com
.
Second, switching from one protocol to another, for example, a document at https://helloworld.tld/hompage.html
requesting an image at http://cdn.helloworld.tld/logo.png
.
When going from one domain to a different domain
same-origin
instructs the browser to omit thereferer
header completely (case 1 above).origin-when-cross-origin
instructs the browser to limit thereferer
header to just the origin (case 2 above).
When switching from https:
to http:
these policies will instruct the browser to omit the referer
header completely (case 1 above).
no-referrer-when-downgrade
strict-origin
strict-origin-when-cross-origin
When switching from http:
to https:
strict-origin
instructs the browser to limit thereferer
header to just the origin (case 2 above).
Configuration
The referrer-policy
is configured with a single line item placed within the policy
section. It may take any of these values:
no-referrer |
no-referrer-when-downgrade |
same-origin |
origin |
strict-origin |
origin-when-cross-origin |
strict-origin-when-cross-origin |
unsafe-url |
To be effective, the policies
module must be turned on
.
EBNF
SP | ::= | U+20 |
CR | ::= | U+0D |
LEFT-CURLY-BRACKET | ::= | U+7B |
RIGHT-CURLY-BRACKET | ::= | U+7D |
policy-value | ::= | 'no-referrer' | 'no-referrer-when-downgrade' | 'same-origin' | 'origin' | 'strict-origin' | 'origin-when-cross-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url' |
referrer-policy | ::= | 'referrer-policy' SP policy-value CR |
policy-configs | ::= | referrer-policy | content-security-policy† | feature-policy† | network-error-logging† | report-to† |
policies-section | ::= | 'policies' SP LEFT-CURLY-BRACKET CR policy-configs* RIGHT-CURLY-BRACKET CR |
† These are defined in separate notes
Cookbook
Example 1: origin
server {
modules {
policies on
}
policies {
referrer-policy origin
}
}
This configuration will result in a referrer-policy response header of:
referrer-policy: origin
Example 2: no-referrer
server {
modules {
policies on
}
policies {
referrer-policy no-referrer
}
}
This configuration will result in a referrer-policy response header of:
referrer-policy: no-referrer
Review
Key points to remember:
- The policies module must be on to enable the referrer-policy.
- The referrer-policy response header is sent only with HTML documents.