Referrer Policy Generator
Generate Referrer-Policy headers for websites. Compare strict-origin-when-cross-origin, no-referrer, same-origin, origin, and other browser referrer privacy policies.
Policy Settings
Selected policy: strict-origin-when-cross-origin
Modern browser default: full same-origin URL, origin only for same-security cross-origin requests, and no HTTPS-to-HTTP downgrade referrer.
Output
Generated Referrer-Policy output will appear here.
Controlling Referrer Data With a Referrer-Policy Header
The Referrer-Policy header controls how much URL information a browser sends in the Referer header when a user navigates, loads images, calls scripts, or opens third-party links.
A good policy can reduce accidental leakage of full page paths, query strings, user IDs, campaign URLs, and sensitive page context while still allowing enough referrer information for basic analytics.
Using the Referrer Policy Generator
- Choose a preset or select a Referrer-Policy value manually.
- Select the site type so the tool can add practical warnings.
- Choose HTTP header, Nginx, Apache, HTML meta, JSON, or Markdown output.
- Copy the generated policy and test it on staging.
- Check analytics, third-party integrations, and login flows before full rollout.
Common Referrer-Policy Choices
- strict-origin-when-cross-origin is the modern default in browsers and a practical explicit setting for many websites.
- no-referrer is privacy-focused and sends no referrer information.
- same-origin sends referrer data only within the same origin.
- origin sends only scheme, host, and port.
- unsafe-url sends full URLs and is usually not recommended.
Example Referrer-Policy Header
Referrer-Policy: strict-origin-when-cross-origin
Privacy and Analytics Tradeoffs
Stronger referrer privacy can reduce the detail available to analytics and third-party tools. For example, no-referrer protects the most information, but it also removes referrer data that some reporting workflows expect.
For many public sites, strict-origin-when-cross-origin is a balanced choice because it avoids sending full cross-origin paths while still allowing origin-level referrer information.
Frequently Asked Questions
What does Referrer-Policy do?
It controls how much referrer information the browser sends when loading or navigating to another resource.
Which Referrer-Policy should I use?
strict-origin-when-cross-origin is a good explicit default for many websites. Sensitive pages may prefer no-referrer or same-origin.
Is unsafe-url safe to use?
Usually no. unsafe-url can send full URLs, including paths and query strings, to other origins.
Can I use a meta tag instead of a header?
Yes, but an HTTP header is usually cleaner and applies before the page body is parsed. Meta tags can be useful when header control is limited.
Will this break analytics?
It can change what referrer data analytics tools receive. Test before deploying a stricter policy everywhere.
