Setting Referrer-Policy strict-origin-when-cross-origin

Implement this directive to enforce deterministic referrer routing that balances privacy compliance with analytics retention. As a core component of Web Security Headers Fundamentals, this HTTP response header overrides browser defaults and <meta> tag fallbacks when delivered server-side. Deploy it to guarantee consistent referrer stripping across all client requests without sacrificing internal navigation tracking or attribution pipelines.

Direct Answer: Behavioral Logic & Security Implications

The strict-origin-when-cross-origin directive enforces three exact routing states:

1. Same-origin navigation: Transmits the full URL (scheme, host, port, path, and query string).
2. Cross-origin navigation: Strips path and query parameters, transmitting only the origin (scheme://host:port).
3. Protocol downgrade (HTTPS → HTTP): Transmits an empty Referer header.

Security Impact: Prevents sensitive path/query data from leaking to third-party resources, CDNs, or external APIs while preserving internal attribution, UTM tracking, and SEO referral data. Chromium 85+ and modern browsers default to this behavior, but explicit server deployment ensures deterministic enforcement across all clients, including privacy-hardened agents and legacy user agents.

Exact Configuration & Diagnostic Commands

Deploy the header at the server or edge layer. Use the exact syntax below for your stack.

Nginx

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache

Header always set Referrer-Policy "strict-origin-when-cross-origin"

Cloudflare Navigate to Rules > Transform Rules > HTTP Header Modification. Create a rule to Set Referrer-Policy to strict-origin-when-cross-origin for All requests.

Express.js

app.use((req, res, next) => {
 res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
 next();
});

Diagnostic CLI

curl -sI https://yourdomain.com | grep -i referrer-policy

Expected output: Referrer-Policy: strict-origin-when-cross-origin

Verification & Cross-Origin Testing

Validate header injection and routing behavior before promoting to production. Reference Referrer-Policy & Permissions-Policy Explained for advanced header interaction rules. Execute the following validation sequence:

1. Deploy header and run curl -sI to confirm exact string match in 200 OK response.
2. Open DevTools > Network > Enable Preserve Log. Click internal link: verify Referer contains full path and query parameters.
3. Click external link: verify Referer contains only https://yourdomain.com/.
4. Simulate downgrade (if applicable via test proxy): verify Referer header is absent in outgoing request.

Edge Cases, Conflicts & Safe Rollback Procedures

Address deployment conflicts and maintain operational stability during rollout.

• HTML Meta Override: <meta name="referrer" content="..."> in <head> overrides HTTP headers if placed after or if the server header is missing. Remove meta tags to enforce the server directive.
• Analytics Breakage: Third-party tags expecting full referrer paths may drop attribution. Verify GA4/Tag Manager cross-domain tracking before production rollout.
• Legacy Fallback: IE11 and Safari <12.1 ignore this value. Default to no-referrer-when-downgrade if strict legacy support is required.
• CSP Coexistence: Referrer-Policy does not conflict with CSP, but both must be delivered via HTTP headers to bypass meta tag limitations.

Safe Rollback Procedure If analytics pipelines break or routing conflicts emerge, revert immediately:

1. Replace the directive in your server config:

Header always set Referrer-Policy "no-referrer-when-downgrade"

2. Purge CDN cache layers.
3. Run curl -sI https://yourdomain.com | grep -i referrer-policy to confirm removal/rollback.
4. Validate analytics pipeline stability and monitor for referrer leakage.