Security headers · Check

Referrer-Policy missing — header leaks to third parties and the fix

Without a Referrer-Policy, browsers may include the full URL — path and query string included — in the Referer header sent to third parties. Tokens in URLs and private routes can leak to ad networks, analytics, and outbound links.

Real-world risk

Full referrers can leak path and query data to third parties when users follow outbound links.

Fix steps (in order)

Add Referrer-Policy: strict-origin-when-cross-origin (or stricter if compatible).

Topic explainer

What is Content Security Policy (CSP)? A practical explainer →

An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (missing_referrer_policy) clears once the externally-observable signal is in place.

Run a free scan Methodology