All fix guides

How to set a Referrer-Policy

Stop full URLs (and any tokens in them) leaking to third-party sites.

What it is

The Referrer-Policy header controls how much of the current URL is sent as the `Referer` when a user navigates or a resource loads.

Why it matters

Without a policy, full URLs — which sometimes contain session tokens or private identifiers — leak to external sites and analytics.

How to fix it

  1. 1Add `Referrer-Policy: strict-origin-when-cross-origin` (a good default) or `no-referrer` for maximum privacy.
  2. 2Avoid putting secrets in URLs in the first place.
  3. 3Re-scan to confirm.

Not sure if your site is affected?

Run a free scan — or let us fix it all for you.

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy