Yoryantra
← Back to Tools

Referrer Policy Generator

Generate Referrer-Policy headers for websites. Compare strict-origin-when-cross-origin, no-referrer, same-origin, origin, and other browser referrer privacy policies.

Policy Settings

Selected policy: strict-origin-when-cross-origin

Modern browser default: full same-origin URL, origin only for same-security cross-origin requests, and no HTTPS-to-HTTP downgrade referrer.

Privacy: mediumCompatibility: high

Output

Generated Referrer-Policy output will appear here.
This tool generates configuration text only. Test your policy on staging before applying it to production pages.

Controlling Referrer Data With a Referrer-Policy Header

The Referrer-Policy header controls how much URL information a browser sends in the Referer header when a user navigates, loads images, calls scripts, or opens third-party links.

A good policy can reduce accidental leakage of full page paths, query strings, user IDs, campaign URLs, and sensitive page context while still allowing enough referrer information for basic analytics.

Using the Referrer Policy Generator

  1. Choose a preset or select a Referrer-Policy value manually.
  2. Select the site type so the tool can add practical warnings.
  3. Choose HTTP header, Nginx, Apache, HTML meta, JSON, or Markdown output.
  4. Copy the generated policy and test it on staging.
  5. Check analytics, third-party integrations, and login flows before full rollout.

Common Referrer-Policy Choices

  • strict-origin-when-cross-origin is the modern default in browsers and a practical explicit setting for many websites.
  • no-referrer is privacy-focused and sends no referrer information.
  • same-origin sends referrer data only within the same origin.
  • origin sends only scheme, host, and port.
  • unsafe-url sends full URLs and is usually not recommended.

Example Referrer-Policy Header

Referrer-Policy: strict-origin-when-cross-origin

Privacy and Analytics Tradeoffs

Stronger referrer privacy can reduce the detail available to analytics and third-party tools. For example, no-referrer protects the most information, but it also removes referrer data that some reporting workflows expect.

For many public sites, strict-origin-when-cross-origin is a balanced choice because it avoids sending full cross-origin paths while still allowing origin-level referrer information.

Frequently Asked Questions

What does Referrer-Policy do?

It controls how much referrer information the browser sends when loading or navigating to another resource.

Which Referrer-Policy should I use?

strict-origin-when-cross-origin is a good explicit default for many websites. Sensitive pages may prefer no-referrer or same-origin.

Is unsafe-url safe to use?

Usually no. unsafe-url can send full URLs, including paths and query strings, to other origins.

Can I use a meta tag instead of a header?

Yes, but an HTTP header is usually cleaner and applies before the page body is parsed. Meta tags can be useful when header control is limited.

Will this break analytics?

It can change what referrer data analytics tools receive. Test before deploying a stricter policy everywhere.