What is the default Referrer-Policy?

Modern browsers default to strict-origin-when-cross-origin. It sends the full URL on same-origin requests, only the origin on cross-origin requests, and nothing when navigating from HTTPS to HTTP. This balances usefulness with privacy.

What does the downgrade in no-referrer-when-downgrade mean?

A downgrade is a request from a more secure context to a less secure one, specifically HTTPS to HTTP. Under no-referrer-when-downgrade the full referrer is sent everywhere except on such downgrades, where it is suppressed.

What is the difference between origin and strict-origin?

Both send only the scheme, host and port as the referrer. The strict variant additionally withholds the referrer entirely on an HTTPS-to-HTTP downgrade, whereas plain origin still sends the origin on a downgrade.

Why prefer strict-origin-when-cross-origin over unsafe-url?

unsafe-url leaks the full URL — including path and query — to every destination, including third parties and over downgrades. strict-origin-when-cross-origin keeps full URLs for your own origin but reveals only the origin externally, preventing path and query leakage.

Does this tool send any referrer?

No. It only describes what each policy would send. The lookup runs entirely in your browser.

Referrer-Policy Values Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Controlling what the Referer header leaks

The Referrer-Policy header (and the equivalent <meta name="referrer"> tag and per-element referrerpolicy attribute) decides how much of the current URL is placed in the Referer request header when the browser follows a link or loads a subresource. This reference lists all eight values and shows the exact referrer sent in each navigation scenario.

How it works

For every outgoing request the browser computes a referrer string from the current document’s URL, trimmed according to the active policy. The key distinctions are: full URL versus origin-only, whether cross-origin requests are treated differently, and whether an HTTPS-to-HTTP downgrade suppresses the referrer:

Referrer-Policy: strict-origin-when-cross-origin

For example, on a page at https://shop.example/cart?id=9, a same-origin request sends the full URL, a cross-origin HTTPS request sends only https://shop.example/, and an HTTPS-to-HTTP request sends nothing.

Tips and notes

strict-origin-when-cross-origin is the safe modern default — prefer it.
Use no-referrer for maximum privacy when you never need the Referer downstream.
Avoid unsafe-url; it leaks full path and query to third parties.
Set per-link policy with <a referrerpolicy="..."> for fine control.
Origin-only values still leak which site the user came from, just not the path.