Referrer-Policy header is set
Why it matters
Without Referrer-Policy, your full page URLs — including paths with user IDs, session tokens in query strings, or internal route names — are sent in the Referer header on every outbound link click, image load, and analytics request. This leaks internal URL structure to third-party analytics, ad networks, and CDNs. Under GDPR Article 5(1)(f), passing personally-identifiable URL fragments to third parties without consent is a data minimization violation. OWASP A01 (Broken Access Control) covers information leakage through ambient HTTP headers. CWE-200 (Exposure of Sensitive Information) directly maps to this pattern.
Severity rationale
Medium because referrer leakage exposes internal URL structure and user-identifiable path data to third-party services on every navigation.
Remediation
Set Referrer-Policy explicitly in your header config. The browser's implicit default (strict-origin-when-cross-origin in modern browsers) is reasonable, but explicit configuration survives browser policy changes and documents intent.
// next.config.js
headers: [{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin'
}]
This sends the full URL for same-origin requests (useful for your own analytics) but strips the path for cross-origin requests — only the origin (https://yoursite.com) reaches third parties. Avoid unsafe-url or no-referrer-when-downgrade, which send full URLs cross-origin.
Detection
-
ID:
referrer-policy -
Severity:
medium -
What to look for: Count all header configuration locations and check for a
Referrer-Policyheader. There are 5 acceptable values:strict-origin-when-cross-origin,strict-origin,no-referrer,same-origin, ororigin-when-cross-origin. -
Pass criteria: A
Referrer-Policyheader is configured with at least 1 of the 5 privacy-conscious values:strict-origin-when-cross-origin,strict-origin,no-referrer,same-origin, ororigin-when-cross-origin. No more than 0 insecure values (unsafe-url,no-referrer-when-downgrade) should appear. -
Fail criteria: No
Referrer-Policyheader configured (browsers default tostrict-origin-when-cross-origin, but explicit is better), or the header is set tounsafe-urlorno-referrer-when-downgrade. -
Skip (N/A) when: Never.
-
Detail on fail:
"No Referrer-Policy header configured — relying on browser default" -
Remediation: The Referrer-Policy controls how much URL information is sent to other sites when users click links:
headers: [{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }]strict-origin-when-cross-originis a good default — it sends the full URL for same-origin requests but only the origin for cross-origin requests.
External references
- cwe · CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor
- owasp:2021 · A01 — Broken Access Control
- gdpr · Art. 5(1)(f) — Integrity and confidentiality
Taxons
History
- 2026-04-17·v1.0.0·Initial import from security-headers·automated