Referrer-Policy

Referrer Policy Checker

Name: VAPT Experts Security Headers Scanner
Author: VAPT Experts

Verify your Referrer-Policy configuration and detect whether sensitive URL information could be leaking to third-party sites. This tool shows you which referrer policy is set, whether it's secure, and the exact header to add.

✓Free to use✓No registration required✓No scan history stored✓Browser-first analysis✓PDF report export✓Copy-paste fixes

What is Referrer-Policy?

The Referrer-Policy HTTP header controls how much referrer information (the URL of the originating request) is included in requests made from your site to other origins. Without this header, browsers default to sending the full URL — including paths, query strings, and any tokens or identifiers — as the Referer header to every external resource your page loads.

Why It Matters

Password reset tokens, OAuth state parameters, session identifiers in URLs, and internal path structures can all be exposed via the Referer header to third-party analytics services, advertising platforms, and CDNs. This is an information disclosure vulnerability that can have serious consequences: a leaked password reset token allows account takeover without any hacking skill.

Common Configuration Mistakes

✗Using "unsafe-url" which sends the full URL including query strings to all external sites
✗Using "no-referrer-when-downgrade" (the old browser default) which still leaks full URLs over HTTPS
✗Relying solely on meta referrer tags instead of the HTTP header
✗Not considering that analytics tools log the Referer header from incoming requests

Recommended Configuration

Referrer-Policy

Referrer-Policy: strict-origin-when-cross-origin

Get platform-specific configs in the Fix Generator

Frequently Asked Questions

What does strict-origin-when-cross-origin mean?

It sends the full URL as referrer for same-origin requests, but only the scheme+host+port (no path or query string) for cross-origin requests. For downgrade requests (HTTPS to HTTP), no referrer is sent at all.

Will changing Referrer-Policy break my analytics?

Potentially. Analytics tools that track referral traffic read the Referer header from incoming requests. If your users navigate to external sites, the external site's analytics may see less data. Your own analytics (tracking users on your site) should be unaffected.

Should I use no-referrer for maximum privacy?

Only if you have no need for referral analytics and don't use any third-party authentication that relies on the Referer header for CSRF protection. strict-origin-when-cross-origin provides a good balance between privacy and functionality.

Related Tools & Guides

Security Headers Checker Content Security Policy Checker Permissions Policy Checker

Need Professional Web Application Security Testing?

This scanner checks visible headers. VAPT Experts provides professional web application penetration testing, API security testing, and compliance-ready security reports.

Request VAPT Assessment