ToolBelt

Referrer-Policy Builder

Pick a Referrer-Policy value with a description of what it does.

Open tool

Overview

The Referrer-Policy Builder picks one of the eight values defined by the W3C Referrer Policy spec — no-referrer, no-referrer-when-downgrade, same-origin, origin, strict-origin, origin-when-cross-origin, strict-origin-when-cross-origin, or unsafe-url — and shows a clear plain-English description of what the browser will send to each destination type.

Useful for privacy-aware developers and security engineers learning how to set Referrer-Policy without leaking URLs or how to pick a Referrer-Policy for privacy. Reach for it hardening a marketing site, fixing the analytics-attribution problems strict policies cause, or choosing the right value for a privacy-sensitive flow.

How it works

The browser sends a Referer header (yes, misspelled in HTTP 1.0) with the URL of the page that initiated the request. The Referrer Policy spec gives authors eight knobs to control what gets sent in cases of same-origin vs cross-origin requests, and HTTPS vs HTTP downgrades.

The modern default in evergreen browsers is strict-origin-when-cross-origin: full URL on same origin, only the origin on cross-origin HTTPS-to-HTTPS, nothing on HTTPS-to-HTTP. The builder explains each policy as a 2x2 matrix of (same vs cross origin) and (secure vs downgrade).

Examples

  • no-referrer → no Referer header on any request. Maximum privacy, breaks attribution.
  • strict-origin-when-cross-origin → full URL within site, origin only to other sites over HTTPS, nothing on downgrade.
  • origin → only the scheme + host + port on every request, ever.
  • unsafe-url → full URL always, including HTTP downgrades. Rarely the right answer.

FAQ

Should I override the browser default?

The default strict-origin-when-cross-origin is good for most sites. Override only when you need stricter privacy (no-referrer, same-origin) or specific attribution behaviour.

Header vs meta tag?

The HTTP header Referrer-Policy is preferred. The <meta name="referrer"> tag works as a fallback but is parsed after the first redirect, so the header is more reliable for early subresource requests.

Per-element override?

Yes — <a rel="noreferrer"> and <a referrerpolicy="..."> override the page policy for that link only. Useful for outbound affiliate links or third-party widgets.

Will Referrer-Policy hide my URL from analytics?

Yes if you set it strictly. Many marketing teams find that strict-origin-when-cross-origin strips campaign parameters expected on the destination. Coordinate with the analytics team before tightening.

Try Referrer-Policy Builder

An unhandled error has occurred. Reload ×