The Referrer-Policy HTTP header controls how much referrer information (the URL of the previous page) is included with requests when a user clicks a link, loads an image, or makes any request from your site to another.
Why It Matters
By default, browsers send the full URL of the current page as the Referer header when navigating to another site. This can leak sensitive information:
- Query parameters with tokens, session IDs, or search terms
- Private page paths (e.g.,
/admin/users/edit/123) - Internal URL structure of your site
Common Values
no-referrer— Never send the referrer header.no-referrer-when-downgrade— Send the full URL but not when navigating from HTTPS to HTTP. (Browser default.)origin— Only send the origin (domain), not the full path.strict-origin-when-cross-origin— Send full URL for same-origin requests, only the origin for cross-origin, and nothing for HTTPS→HTTP downgrades. (Recommended)
Example
Referrer-Policy: strict-origin-when-cross-originWhat InspectWP Checks
InspectWP checks whether your WordPress site sends a Referrer-Policy header. Without it, your site relies on the browser's default behavior, which may share more information than necessary with third-party sites.