Skip to main content
ZZeriFlowv2.0

Security fix guide

How to Fix a Missing Referrer-Policy Header

A missing Referrer-Policy header can leak full URLs to third-party sites and analytics destinations.

Run Full Website Security Scan

What the issue means

A missing Referrer-Policy header can leak full URLs to third-party sites and analytics destinations.

Why it matters

URLs can contain paths, IDs, search terms, and tokens. A referrer policy limits what browsers send cross-origin.

How to check it

Inspect response headers for Referrer-Policy.

How to fix it

Use strict-origin-when-cross-origin for a balanced default, or no-referrer for sensitive apps.

Configuration examples

Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Vercel / Next.js
headers: async () => [{ source: "/(.*)", headers: [{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }] }]
Cloudflare
Add Referrer-Policy with a response header modification rule.

Related fix guides

Security Headers CheckerWebsite Vulnerability ScannerSecurityHeaders ComparisonMissing Content-Security-PolicyMissing Permissions-Policy