What Does the Referrer-Policy Header Control?
Learn how the Referrer-Policy header limits URL leakage to third parties, its default value, and how to configure it safely.
Expected Interview Answer
The Referrer-Policy header controls how much information about the current page’s URL the browser includes in the Referer header when the user navigates away or when the page requests resources from another origin, letting a site limit leakage of sensitive path segments, query strings, or internal URLs to third parties.
By default, browsers historically sent the full URL of the referring page — including query parameters that might contain session tokens, search terms, or internal IDs — to whatever origin a link or resource request pointed to. Referrer-Policy lets the server specify a stricter rule: values like no-referrer send nothing at all, origin sends only the scheme and host with no path, and strict-origin-when-cross-origin (the current browser default) sends the full URL for same-origin requests but only the origin for cross-origin requests, and nothing at all when downgrading from HTTPS to HTTP. This matters both for privacy — preventing analytics or ad networks from seeing exactly which internal page or search query a user came from — and for security, since a leaked URL containing a password-reset token or an internal admin path in the query string could be captured by a third-party server simply because the user clicked an outbound link. Choosing the right policy is a tradeoff: overly strict settings can break legitimate analytics attribution, while overly permissive ones leak more than necessary.
- Prevents sensitive query parameters or internal paths from leaking to third-party origins
- Reduces cross-site tracking based on referring page context
- Guarantees no downgrade-leak of URLs when navigating from HTTPS to HTTP
- Configurable per site or even per link via the referrerpolicy HTML attribute
AI Mentor Explanation
Referrer-Policy is like a team deciding exactly what information a departing player is allowed to share with a new club — full match strategy, just the team name, or nothing at all. If policy says 'just the club name,' the player mentions only 'I played for that club,' not the specific tactics discussed in the dressing room. Send them off with no restriction, though, and they might casually reveal internal strategy notes just because they were overheard on the way out. That deliberate control over exactly what leaks when someone moves on is precisely what Referrer-Policy governs for URLs.
Step-by-Step Explanation
Step 1
Server declares a Referrer-Policy value
Sent as an HTTP header or a <meta name="referrer"> tag, applying to the whole page or overridden per link.
Step 2
User navigates or a cross-origin request fires
A link click, resource fetch, or navigation triggers the browser to construct a Referer header for the destination.
Step 3
Browser applies the policy before sending
Depending on the value, the browser strips the path/query, reduces to origin-only, or omits the header entirely.
Step 4
Destination receives only the permitted amount
The receiving server sees exactly as much (or as little) of the referring URL as the policy allowed — never more.
What Interviewer Expects
- Explaining the default browser behavior (strict-origin-when-cross-origin) versus stricter options
- Understanding both the privacy and security angles (token/URL leakage)
- Awareness of the HTTPS-to-HTTP downgrade protection built into most policies
- Ability to name at least two policy values and their behavior difference
Common Mistakes
- Assuming the Referer header always contains the full URL by default in modern browsers
- Confusing Referrer-Policy with the unrelated Referer request header itself
- Setting no-referrer globally without considering it can break legitimate analytics
- Forgetting the header can be overridden per-link via the referrerpolicy HTML attribute
Best Answer (HR Friendly)
“Referrer-Policy controls how much of the current page’s web address gets shared with the next site you click through to. It’s a privacy and security setting — without it, a link containing something sensitive in the URL could leak straight to another company’s server just because someone clicked it.”
Code Example
<!-- Response header (server-side) -->
<!-- Referrer-Policy: strict-origin-when-cross-origin -->
<!-- Page-wide meta tag alternative -->
<meta name="referrer" content="strict-origin-when-cross-origin">
<!-- Per-link override for an outbound, less-trusted destination -->
<a href="https://external-partner.example.com" referrerpolicy="no-referrer">
Visit partner site
</a>Follow-up Questions
- What is the difference between origin and strict-origin-when-cross-origin?
- How does Referrer-Policy protect against leaking a URL during an HTTPS-to-HTTP downgrade?
- Why might overly strict referrer policies break legitimate analytics attribution?
- How do you set a referrer policy for just one specific outbound link instead of the whole page?
MCQ Practice
1. What does the Referrer-Policy header primarily control?
Referrer-Policy governs how much of the current page URL is disclosed to the destination when navigating or fetching resources.
2. Which Referrer-Policy value sends no Referer header at all?
no-referrer omits the Referer header entirely for every navigation and request.
3. What happens to the Referer header under strict-origin-when-cross-origin when navigating from HTTPS to HTTP?
This policy strips the referrer entirely on a security downgrade (HTTPS to HTTP) to avoid leaking a secure URL over an insecure channel.
Flash Cards
What does Referrer-Policy control? — How much of the current URL is sent in the Referer header to the destination on navigation or cross-origin requests.
What is the modern browser default? — strict-origin-when-cross-origin — full URL same-origin, origin-only cross-origin, nothing on HTTPS-to-HTTP downgrade.
Strictest possible value? — no-referrer — omits the Referer header entirely.
How to override per link? — Use the referrerpolicy HTML attribute on an individual <a> or resource tag.