Security
SecurityLow

Referrer-Policy

Checks Referrer-Policy header — controls how much referrer info leaks to other sites.

What this check measures

We read the `Referrer-Policy` header. Recommended values: `strict-origin-when-cross-origin` (default in modern browsers) or `no-referrer-when-downgrade`. `unsafe-url` leaks too much; `no-referrer` breaks analytics.

Why it matters

Referrer headers can leak sensitive query parameters or path info to external sites. Tight policies prevent privacy leaks. Too-tight policies break analytics and affiliate tracking.

search

How our audit detects it

Read Referrer-Policy header. Verify value is not empty and not `unsafe-url`.

Typical findings

  • error_outlineHeader missing — browser defaults apply (varies).
  • error_outlineValue = unsafe-url — full referrer leaked including query strings.

How to fix

Set `Referrer-Policy: strict-origin-when-cross-origin` — sends origin only on cross-origin requests, full URL for same-origin. Balanced between privacy and analytics.

Copy-paste fix prompt for your stack

Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44

View the fix prompt →

Frequently asked questions

What does browser default do?expand_more
Modern Chrome/Firefox default to strict-origin-when-cross-origin since ~2020. Older browsers leaked full URL. Explicit policy is safer.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward