Checking the Referrer Policy
If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.
|Result positive||Referrer Policy is secure|
|Result negativ||Referrer Policy is insecure|
|Description||A well-defined Referrer Policy protects the privacy of your website visitors, but has no direct influence on the security of your website.|
|Background||A well-defined Referrer Policy protects the privacy of your website visitors.|
|Consequence||A missing or incorrect referrer policy enables unwanted user-identifying information outflow.|
|Solution/Tips||With the entry Referrer Policy in the Header which referrer information that was sent in the Referrer Header should be included in requests and which not can be regulated. There are many different options that can be set. Alongside Firefox, Chrome and Opera already support several options for this header entry. Currently these header entries form a Empfehlungskandidaten des W3C vom 26.01.2017. The document linked above provides an exact description of the individual possibilities.
Note on spelling: The correct English spelling is Referrer. However, the original RFC (RFC 2068) contained an accidental misspelling Referer and thus raises this spelling to the standard within HTTP. In other standards such as DOM, the correct spelling is used. When a Referrer is set, the web browser sets its own Header, which is then called e.g. `Referer: google.com`. IN this case, Referrer fit spelled wrongly, but is correct according to the standard.
We recommend that the Referrer Policy Header be set to be as restrictive as possible, i.e. to be set to ”no-referrer," for example.
Referrer Policy Definition by Server Header:
# Referrer Policy Header set referrer-Policy "no-referrer"
Referrer Policy Definition by HTML code:
<meta name="referrer" content="no-referrer" />
Statement: The value `no-referrer` instructs the browser to send Never Referer Header, which is provided by your site. This includes links to pages on your own website.
The value `same origin` instructs the browser to send only Referer Header provided by your website. If the target is another domain, no referrer information will be sent.
The value `strict-origin` instructs the browser, to always indicate the origin domain as Referer Header.
The value origin-when-cross-origin` instructs the browser to send the full referrer URL only if you stay on the same Domain. Once the domain is left via HTTPS or another Domain is addressed, only the source domain is sent.
Detailed information and examples can be found at Helme.