Referrer Policy Header Test
Check whether a site controls referrer information in HTTP response headers.
What Is a Referrer Policy Header Test?
Referrer Policy Header Test checks whether a page returns the Referrer-Policy HTTP response header. This header controls how much URL information browsers send in the Referer request header when a visitor clicks a link or loads a cross-origin resource.
The result banner tells you whether the Referrer-Policy header was found.
For many public websites, strict-origin-when-cross-origin is a sensible default. More privacy-sensitive applications may choose same-origin or no-referrer, but the right policy depends on your product security requirements.
Note: This tool follows redirects and inspects the response headers returned by the final page.
Why It Matters
Without an explicit policy, browsers may send more referrer information than you expect. That can expose full URLs, paths, or query strings to third-party sites and analytics endpoints.
Common policies include:
| Policy | Behavior |
|---|---|
no-referrer | Sends no referrer information. |
same-origin | Sends referrer information only for same-origin requests. |
strict-origin | Sends only the origin, and only from HTTPS to HTTPS. |
strict-origin-when-cross-origin | Sends full URL on same-origin requests, origin only cross-origin, and no referrer on HTTPS-to-HTTP downgrades. |
origin | Sends only the origin for all requests. |
unsafe-url | Sends the full URL and is usually not recommended. |
Referer vs Referrer
The HTTP request header is historically misspelled as Referer. The response header that controls it uses the correct spelling: Referrer-Policy.
Frequently Asked Questions
Referrer-Policy controls how much URL information the browser sends in the Referer header when someone clicks a link or loads a cross-origin resource.
The original HTTP request header is misspelled as Referer. The modern response header uses the correct spelling: Referrer-Policy.
strict-origin-when-cross-origin is a common modern default. More restrictive sites may use same-origin, strict-origin, or no-referrer depending on privacy needs.