SecurityLow

Missing Referrer-Policy header

The Referrer-Policy header is absent. When a visitor clicks an external link from your site, the full URL (including paths and parameters) is transmitted to the destination site.

Why it matters

URLs containing sensitive data (tokens, session parameters) may be exposed to third-party sites via the Referer header.

How to fix

  1. 1

    Via .htaccess

    apache
    <IfModule mod_headers.c>
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
  2. 2

    Via Nginx

    nginx
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Related articles

SecurityMissing Permissions-Policy headerSecurityContent Security Policy (CSP) missing on WordPress

Ready to fix this issue on your site?

Audit my site for free →