kevinhakanson.com

Referrer-Policy HTTP header

February 07, 2018 #http #webdev #security

Referrer-Policy is one the security focused HTTP headers checked during Observatory by Mozilla scans.  Scott Helme talks about this in A new security header: Referrer Policy, but his comment that you can set Referrer Policy via the Content Security Policy is based on a CSP: referrer feature that had been deprecated.

Using Referrer-Policy: no-referrer is effectively setting rel=noreferrer on every link and protects the most against information leakage.

Applications that need Referer header values sent to themselves should consider Referrer-Policy: same-origin