Referrer-Policy HTTP header

February 7, 2018 #http #webdev #security

Referrer-Policy is one the security focused HTTP headers checked during Observatory by Mozilla scans.  Scott Helme talks about this in A new security header: Referrer Policy, but his comment that you can set Referrer Policy via the Content Security Policy is based on a CSP: referrer feature that had been deprecated.

Using Referrer-Policy: no-referrer is effectively setting rel=noreferrer on every link and protects the most against information leakage.

Applications that need Referer header values sent to themselves should consider Referrer-Policy: same-origin

Kevin Hakanson

Multi-Cloud Certified Architect | DevSecOps | AppSec | Web Platform | Speaker | Learner | Builder
Twitter | LinkedIn | GitHub | Stack Overflow | Credly

© 2024 Kevin Hakanson (built with Gatsby)