Free Tool
Referrer-Policy Checker
Test whether your site limits referrer leakage and protects URL paths, query strings, and sensitive navigation context.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
Header Presence
Checks whether the Referrer-Policy header is sent by your website.
Cross-Origin Behavior
Explains what information can be shared with third-party destinations.
Sensitive URL Risk
Highlights why query strings and path data should not leak unnecessarily.
Analytics Balance
Suggests policies that protect privacy without breaking common analytics needs.
Recommended Baseline
Default
Use strict-origin-when-cross-origin for a balanced production baseline.
Sensitive Apps
Use no-referrer or same-origin for dashboards, portals, and private workflows.
URL Hygiene
Never place tokens or secrets in URLs, even with a strict policy.
Coverage
Set the header globally at the server, CDN, or framework layer.
FAQ
What is Referrer-Policy?
Referrer-Policy controls how much URL information the browser sends in the Referer header when users navigate from your site to another page.
What Referrer-Policy should I use?
A practical default for many websites is strict-origin-when-cross-origin. More sensitive apps may prefer no-referrer or same-origin.
Can referrer headers leak secrets?
Yes. If tokens, emails, or IDs appear in URLs, permissive referrer behavior can leak them to external sites and analytics tools.
Does Referrer-Policy break analytics?
Strict policies may reduce path-level attribution across origins, but origin-level referrer data usually remains available with strict-origin-when-cross-origin.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.