The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Header type Response header
Forbidden header name no


Note that Referer is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url


The Referer header will be omitted entirely. No referrer information is sent along with requests.
no-referrer-when-downgrade (default)
This is the user agent's default behavior if no policy is specified. The URL is sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS), but isn't sent to a less secure destination (HTTPS→HTTP).
Only send the origin of the document as the referrer in all cases.
The document will send the referrer
Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
Send a full URL when performing a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.


Policy Document Navigation to Referrer
no-referrer any domain or path no referrer
no-referrer-when-downgrade no referrer
origin any domain or path
same-origin no referrer
strict-origin no referrer
strict-origin any domain or path
strict-origin-when-cross-origin no referrer
unsafe-url any domain or path


Specification Status
Referrer Policy Editor's draft

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support56 No50 No No No
same-origin61 No52 No48 No
strict-origin61 No52 No48 No
strict-origin-when-cross-origin61 No52 No48 No
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support5656 No50 No No6.0
same-origin6161 No5248 No No
strict-origin6161 No5248 No No
strict-origin-when-cross-origin6161 No5248 No No


  • From version 53 onwards, Gecko has a pref available in about:config to allow users to set their default Referrer-Policy network.http.referer.userControlPolicy.
  • From version 59 onwards (See #587523), this has been replaced by network.http.referer.defaultPolicy and network.http.referer.defaultPolicy.pbmode.

Possible values are:

  • 0 — no-referrer
  • 1 — same-origin
  • 2 — strict-origin-when-cross-origin
  • 3 — no-referrer-when-downgrade (the default)

See also

Document Tags and Contributors

Last updated by: pwdst,