Missing Secure Referrer-Policy Header

What This Means

URLs missing no-referrer-when-downgrade, strict-origin-when-cross-origin, no-referrer or strict-origin policies in the Referrer-Policy header. When using HTTPS, it’s important that the URLs do not leak in non-HTTPS requests. This can expose users to ‘man in the middle’ attacks, as anyone on the network can view them.

What Triggers This Issue

This issue is triggered when a URL is missing no-referrer-when-downgrade, strict-origin-when-cross-origin, no-referrer or strict-origin‘ policies in the Referrer-Policy header. For example: Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: no-referrer Referrer-Policy: strict-origin

How To Fix

Consider setting a referrer policy of strict-origin-when-cross-origin. It retains much of the referrer’s usefulness, while mitigating the risk of leaking data cross-origins.

← Back to Security