Referrer-Policy header is set

ab-000009 · security-headers.headers.referrer-policy

Severity: mediumactive

Why it matters

Without Referrer-Policy, your full page URLs — including paths with user IDs, session tokens in query strings, or internal route names — are sent in the Referer header on every outbound link click, image load, and analytics request. This leaks internal URL structure to third-party analytics, ad networks, and CDNs. Under GDPR Article 5(1)(f), passing personally-identifiable URL fragments to third parties without consent is a data minimization violation. OWASP A01 (Broken Access Control) covers information leakage through ambient HTTP headers. CWE-200 (Exposure of Sensitive Information) directly maps to this pattern.

Severity rationale

Medium because referrer leakage exposes internal URL structure and user-identifiable path data to third-party services on every navigation.

Remediation

Set Referrer-Policy explicitly in your header config. The browser's implicit default (strict-origin-when-cross-origin in modern browsers) is reasonable, but explicit configuration survives browser policy changes and documents intent.

// next.config.js
headers: [{
  key: 'Referrer-Policy',
  value: 'strict-origin-when-cross-origin'
}]

This sends the full URL for same-origin requests (useful for your own analytics) but strips the path for cross-origin requests — only the origin (https://yoursite.com) reaches third parties. Avoid unsafe-url or no-referrer-when-downgrade, which send full URLs cross-origin.

Detection

ID: security-headers.headers.referrer-policy
Severity: medium
What to look for: Count all header configuration locations and check for a Referrer-Policy header. There are 5 acceptable values: strict-origin-when-cross-origin, strict-origin, no-referrer, same-origin, or origin-when-cross-origin.
Pass criteria: A Referrer-Policy header is configured with at least 1 of the 5 privacy-conscious values: strict-origin-when-cross-origin, strict-origin, no-referrer, same-origin, or origin-when-cross-origin. No more than 0 insecure values (unsafe-url, no-referrer-when-downgrade) should appear.
Fail criteria: No Referrer-Policy header configured (browsers default to strict-origin-when-cross-origin, but explicit is better), or the header is set to unsafe-url or no-referrer-when-downgrade.
Skip (N/A) when: Never.
Detail on fail: "No Referrer-Policy header configured — relying on browser default"
Remediation: The Referrer-Policy controls how much URL information is sent to other sites when users click links:
```
headers: [{
  key: 'Referrer-Policy',
  value: 'strict-origin-when-cross-origin'
}]
```
strict-origin-when-cross-origin is a good default — it sends the full URL for same-origin requests but only the origin for cross-origin requests.

External references

cwe · CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor
owasp:2021 · A01 — Broken Access Control
gdpr · Art. 5(1)(f) — Integrity and confidentiality

Taxons

privacy-consent

History

2026-04-17·v1.0.0·Initial import from security-headers·automated