Home / Tools / Set Referrer-Policy header to control data leakage
Security Headers · Scan Check Guide

Set Referrer-Policy header to control data leakage

10 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

Referrer-Policy controls how much information about the page a visitor is leaving gets sent to the NEXT site they click through to — without it, the full URL of your page (which can include sensitive query parameters like session tokens or search terms) can leak to every external link a visitor clicks.

Without this header, your full URL (including query parameters and tokens) is sent to every external site visitors click to. This can leak session data, user IDs, or sensitive paths.

How to fix it

  1. 1
    Pick a policy level
    strict-origin-when-cross-origin is the modern, sensible default — full URL sent to your own domain, only the origin (no path) sent to other sites, nothing sent on an HTTPS-to-HTTP downgrade.
  2. 2
    Add the header
    Set Referrer-Policy: strict-origin-when-cross-origin in your server config or CDN.
  3. 3
    Check any analytics that rely on referrer data
    If you specifically need full-URL referrer data for attribution, confirm your analytics tool doesn't depend on more than the origin being passed.

Common mistakes

How you'll know it's done

The response header Referrer-Policy: strict-origin-when-cross-origin (or similarly restrictive) is present.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →