Referrer Policy
Written by Ulises Gascón
Apr 08, 2020 — 1 min readThe attack
The Referrer Policy module can control the behavior of the Referer
header by setting the Referrer-Policy
header.
The Referer
HTTP header is typically set by web browsers to tell a server where it’s coming from. For example, if you click a link on example.com/index.html
that takes you to wikipedia.org
, Wikipedia’s servers will see Referer: example.com
.
This can have privacy implications—websites can see where users are coming from.
The header
The new Referrer-Policy
HTTP header lets authors control how browsers set the Referer
header.
For example, when supported browsers see this header, they will set no Referer
header at all:
Referrer-Policy: no-referrer
There are other directives, too. same-origin
, for example, will only send the Referer
header for pages on the same origin.
Referrer-Policy: same-origin
You can see the full list of directives on the specification and support in all browsers
The code
const helmet = require('helmet')
// Sets "Referrer-Policy: same-origin".
app.use(helmet.referrerPolicy({ policy: 'same-origin' }))