Referrer-Policy
The Referrer-Policy header controls what URL information is shared when users navigate from your site to external links. SaaSalyst checks whether your server sends this header, detecting a missing privacy control that may leak sensitive URL paths or query parameters to third parties.
What SaaSalyst Checks
SaaSalyst inspects the HTTP response headers for the Referrer-Policy header. Any valid policy value (strict-origin-when-cross-origin, no-referrer, same-origin, etc.) satisfies the check.
Why This Matters
Without a Referrer-Policy, browsers send the full URL (including paths and query parameters) as a referrer when users click external links. If your URLs contain sensitive information (session tokens, user IDs, search queries), this data leaks to third-party sites.
The recommended policy for most SaaS products is 'strict-origin-when-cross-origin', which sends only the origin (domain) for cross-origin requests while preserving full referrer information for same-origin navigation.
This header is increasingly checked in security audits as part of privacy-by-design assessments.
40%
Higher secret exposure in repos using AI coding assistants
GitGuardian 2025 Report
400+
Exposed secrets found across 5,600 vibe-coded apps
Escape.tech
How to Fix It
- Add Referrer-Policy: strict-origin-when-cross-origin to your server's response headers. This is the recommended default for most sites.
- For maximum privacy, use Referrer-Policy: no-referrer (sends no referrer information at all) or strict-origin (sends only the domain).
- Configure this in your web server, CDN, or application framework's header configuration.
Frequently Asked Questions
How does SaaSalyst check for Referrer-Policy?
SaaSalyst inspects your HTTP response headers for a Referrer-Policy header. Any valid policy value satisfies the check.
Why does Referrer-Policy matter?
Without it, your full URLs (including paths and query parameters) leak to external sites when users click links. SaaSalyst checks this because it's a privacy protection that prevents sensitive URL data exposure.
How does Referrer-Policy affect my Business Readiness Score?
SaaSalyst rates Referrer-Policy as low severity in Security & Infrastructure. While missing it doesn't heavily penalize your score, it's part of comprehensive security header coverage.
References & Official Sources
Official regulatory and standards sources relevant to the checks SaaSalyst runs on your site.
- OWASP Top 10— OWASP
- Security Headers Reference— Mozilla
- HSTS Preload List— Google
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for Referrer-Policy along with 40+ other business readiness signals.
Scan Your App