All fix guides
How to set a Referrer-Policy
Stop full URLs (and any tokens in them) leaking to third-party sites.
What it is
The Referrer-Policy header controls how much of the current URL is sent as the `Referer` when a user navigates or a resource loads.
Why it matters
Without a policy, full URLs — which sometimes contain session tokens or private identifiers — leak to external sites and analytics.
How to fix it
- 1Add `Referrer-Policy: strict-origin-when-cross-origin` (a good default) or `no-referrer` for maximum privacy.
- 2Avoid putting secrets in URLs in the first place.
- 3Re-scan to confirm.
Not sure if your site is affected?
Run a free scan — or let us fix it all for you.