Zero Signup ToolsFree browser tools

Developer Tools

Referrer-Policy Header Generator

Build and parse the HTTP Referrer-Policy header. Eight policies, behavior matrix, privacy checks, and snippets for Nginx, Apache, and Next.js.

Scenarios

Pick a starting point. You can fine-tune the policy below.

All eight policies

Select a policy to load it. Risk grades reflect the W3C spec and OWASP guidance, not just preference.

Generated header

Referrer-Policy: strict-origin-when-cross-origin

The modern browser default and the W3C recommended baseline. A good choice for almost every site.

Per-request behavior

What the browser puts in the Referer header for each navigation and subresource request.

Same origin

Full URL is sent, including path and query string.

Same origin (HTTPS to HTTP)

Full URL is sent.

Cross-origin

Only the origin is sent.

Cross-origin (HTTPS to HTTP)

No Referer header is sent (downgrade blocked).

  • Matches the default policy in Chrome, Edge, Firefox, and Safari since 2020 / 2021.
  • Keeps internal analytics rich while protecting query strings on cross-origin and downgrade requests.

Privacy checklist

How the selected policy scores on the four most common Referer leak categories.

  • HTTPS to HTTP downgrade leak

    Browsers block the Referer header on HTTPS to HTTP requests under this policy.

  • Path and query exposed to third parties

    Third-party requests see at most the origin. URL paths and query strings stay on your side.

  • Origin visible to third parties

    Third parties receive your origin and can attribute traffic to your site, which is needed by some analytics and affiliate networks.

  • Internal Referer keeps full URL

    Your own servers receive the full Referer URL on same-origin navigation, which is useful for in-app analytics.

Server snippets

Drop into your server config or platform headers file. The meta tag works for static hosts where you cannot set headers.

HTML <meta> tag

<meta name="referrer" content="strict-origin-when-cross-origin">

Nginx

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Apache (.htaccess or httpd.conf)

Header always set Referrer-Policy "strict-origin-when-cross-origin"

Caddy (Caddyfile)

header Referrer-Policy "strict-origin-when-cross-origin"

IIS (web.config)

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Express / Node (res.setHeader)

app.use((req, res, next) => {
  res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
  next();
});

Cloudflare Worker

addEventListener("fetch", (event) => {
  event.respondWith(handle(event.request));
});

async function handle(request) {
  const response = await fetch(request);
  const headers = new Headers(response.headers);
  headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers,
  });
}

Vercel (vercel.json)

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }
      ]
    }
  ]
}

Netlify (_headers)

/*
  Referrer-Policy: strict-origin-when-cross-origin

Next.js (next.config.js)

module.exports = {
  async headers() {
    return [
      {
        source: "/(.*)",
        headers: [
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
        ],
      },
    ];
  },
};

Quick reference

Referer vs Referrer

The HTTP header is misspelled as Referer (RFC 2616). The W3C spec and the policy directive use the correct Referrer spelling. Both refer to the same value.

Browser default

Chrome, Edge, Firefox, and Safari default to strict-origin-when-cross-origin when no policy is set. This is the W3C recommended baseline.

Meta tag vs header

A response header sets the policy for the whole document. The <meta name=referrer> tag does the same for static hosts. The referrerpolicy attribute on a single link, iframe, or image overrides both for that element.

Fallback list

The comma-separated list lets you ship a newer policy and a safe fallback. Browsers pick the last token they understand, so put your preferred newer policy last.

Downgrade leaks

HTTPS to HTTP requests leak more than they should under no-referrer-when-downgrade, origin, origin-when-cross-origin, and unsafe-url. The strict- variants block downgrades entirely.

Subresources

The policy applies to every request the page makes, including images, fonts, scripts, fetch calls, and beacon requests. Not just hyperlinks.

How to use

  1. Pick a scenario (Modern browser default, Marketing or content site, Auth and account pages, eCommerce or affiliate site, Internal dashboard, Legacy unsafe-url partner) or choose any of the eight policies from the full list.
  2. Read the Per-request behavior card to confirm what the Referer header will contain for same-origin, same-origin downgrade, cross-origin, and cross-origin downgrade requests.
  3. Review the Privacy checklist. It scores the selected policy on downgrade leaks, query string exposure, third-party origin visibility, and internal Referer fidelity.
  4. Copy the header value or one of the server snippets (Nginx, Apache, Caddy, IIS web.config, Express, Cloudflare Worker, Vercel, Netlify _headers, Next.js next.config.js). Static hosts can use the HTML meta tag instead.
  5. Switch to Parse mode to inspect an existing header. Paste a value from curl -I, the browser DevTools Network panel, a meta tag, or a comma-separated fallback list; the tool reports the effective policy a browser will pick and flags duplicate or unknown tokens.

About this tool

Referrer-Policy Header Generator builds and parses the HTTP Referrer-Policy response header (and the equivalent meta name=referrer tag) defined by the W3C Referrer Policy specification. The header controls what the browser puts in the Referer request header when navigating from your page or when fetching subresources from it. The eight named policies trade off between giving target pages useful attribution data and leaking the user's session URL, query string, or origin into third-party logs. Build mode lets you pick a policy from a short list of scenarios (modern browser default, marketing site, auth and account pages, eCommerce affiliate, internal dashboard, legacy unsafe-url partner) or from the full set of eight: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, and unsafe-url. Each option ships with a plain English summary, a risk grade aligned with OWASP Secure Headers guidance, the four-cell behavior matrix that describes what the Referer header contains for same-origin requests, same-origin HTTPS to HTTP requests, cross-origin requests, and cross-origin HTTPS to HTTP requests, and short notes that call out the common foot-guns (affiliate networks that need a referrer, query string leaks, downgrade leaks, hidden origin). A live privacy checklist scores the selected policy on four common leak categories: HTTPS to HTTP downgrade leaks, path and query exposure to third parties, third-party origin visibility, and internal Referer fidelity. Drop-in snippets cover the HTML meta name=referrer tag for static hosts, Nginx add_header, Apache .htaccess Header always set, the Caddyfile header directive, IIS web.config customHeaders, an Express middleware that calls res.setHeader, a Cloudflare Worker that overrides the response, vercel.json headers, the Netlify _headers file, and a next.config.js headers() entry. Parse mode accepts a raw value, the full header line with the Referrer-Policy: prefix, a comma-separated fallback list, or a meta tag, then splits it into tokens, validates each one against the eight known policy names, flags duplicates and unknown values, and reports the effective browser policy (the last recognized token in the list, per the W3C spec). The fallback list pattern lets you ship a newer policy with an older fallback for browsers that do not yet understand it. Useful for hardening a production site, switching off the permissive no-referrer-when-downgrade default that older browsers still applied, reviewing a header pasted from curl -I or DevTools, choosing a policy for an auth page where reset tokens appear in the URL, or auditing a meta tag that conflicts with the server header. Every policy value, header, and snippet stays in your browser; nothing is uploaded to a server.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

HSTS Header Generator

Build, parse, and explain Strict-Transport-Security headers with preload list checks.

Open tool

Developer

CSP Header Generator

Visual builder for the Content-Security-Policy HTTP header.

Open tool

Developer

CORS Headers Generator

Build Access-Control headers with live validation and Apache, Nginx, Vercel, Netlify, Next.js, Worker, and Express snippets.

Open tool

Developer

Permissions-Policy Generator

Pick browser features, set allowlists, copy ready-to-paste Permissions-Policy headers.

Open tool

Developer

Cache-Control Header Builder

Build and parse Cache-Control headers with directive flags, max-age presets, conflict checks, and ready-to-paste server snippets.

Open tool

Developer

Set-Cookie Builder

Form-driven Set-Cookie header builder with conflict warnings and server snippets.

Open tool

All toolsDeveloper Tools