To fix a missing Referrer-Policy, add the response header Referrer-Policy: strict-origin-when-cross-origin. This sends only the origin (not the full URL) to other sites, protecting privacy while preserving analytics. Apply site-wide and re-scan.
Without a Referrer-Policy, browsers may send your full URLs — including query strings that can contain sensitive data — to third-party sites when users click outbound links or load external resources. A sensible policy limits this. The fix is one header.
Check your website
See how your site handles how to fix missing referrer-policy — free, no account needed.
Business impact
Full referrer URLs can leak internal paths, tokens or personal data to third parties and advertisers. Setting a privacy-preserving Referrer-Policy protects your users' data and supports your compliance posture, with no downside to legitimate analytics.
Why this happens
It is missing because browsers apply a default (usually strict-origin-when-cross-origin in modern browsers) only when no header is set — being explicit is safer and consistent across browsers. Causes are simply "never configured".
How to confirm the issue
Manually: check DevTools → Network for referrer-policy, or curl -I https://yoursite.com.
With Plexa Trust: run a scan for "Missing Referrer-Policy" and re-scan after applying the header.
Step-by-step fix
Add
Referrer-Policy: strict-origin-when-cross-originto all responses.Use
no-referrerfor maximum privacy if you do not need referrer data at all.Deploy site-wide and re-scan.
Platform-specific fixes
Cloudflare
Rules → Transform Rules → Modify Response Header.
Add header
Referrer-Policy=strict-origin-when-cross-origin.
Apache
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Reload Apache.
Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Run
nginx -tand reload.
WordPress
Set the Referrer-Policy option in a security-headers plugin, or add it in server config.
How to verify the fix
strict-origin-when-cross-originbalances privacy and analytics well.Use
no-referrerfor the strictest privacy.Re-scan and confirm the finding is cleared.
Common mistakes
Using
unsafe-url, which leaks full URLs to everyone.Relying on browser defaults instead of being explicit.
Applying it to only some pages.
Frequently asked questions
What does Referrer-Policy control?
How much of the referring URL the browser sends to another site when a user clicks a link or loads an external resource.
Which value should I use?
strict-origin-when-cross-origin is a strong default: it shares the full URL within your site but only the origin to other sites.
Will it break my analytics?
No. It still sends your origin to third parties and full paths within your own site, so first-party analytics are unaffected.
What is the most private option?
no-referrer sends no referrer information at all. Use it if you never need referrer data.
Why does leaking the full URL matter?
URLs can contain sensitive query parameters like tokens, emails or internal paths that should not reach third parties.
Is a Referrer-Policy required by law?
Not specifically, but limiting data shared with third parties supports privacy obligations like GDPR.
Where do I set it?
Site-wide at your server or CDN.
How do I confirm it worked?
Re-scan with Plexa Trust and verify the header via curl or DevTools.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan