HTTP Headers WordPress Plugin – Referrer-Policy

The HTTP Headers plugin can set a referrer-policy header to control what information is sent through the <code>referer</code> header with URI requests. This prevents URLs with sensitive information from showing up in web analytics software logs. For example, clicking links on a password reset page could send user credentials within the referrer.

Below we cover adding Referrer-Policy in WordPress with the HTTP Headers plugin.

Get more performance and security features with our NGINX-powered WordPress Hosting.

Referrer Policy

  1. Install, and activate, the HTTP Headers plugin using your WordPress dashboard or WP-CLI.
  2. Log in to your WordPress dashboard.
  3. On the left, hover over Settings and click HTTP Headers.
  4. Click the Security (0/15) button.
  5. Click Edit beside Referrer-Policy.
  6. Click the On button.
  7. Choose a policy option from the drop-down:
    empty string – No preference
    no-referrer – No referrer info sent
    no-referrer-when-downgrade – Full URL sent unless HTTPS to HTTP page (Default behavior if no policy specified)
    same-origin – Only origin (root domain – e.g. example.com instead of example.com/page-1) for within the same site
    origin – Only origin
    strict-origin – Origin only when protocol security level is the same (e.g. HTTPS > HTTPS)
    origin-when-cross-origin – Full URL for within the same site, but only origin for others
    strict-origin-when-cross-origin – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS > HTTPS), and no info from HTTPS to HTTP
    unsafe-url – Full URL (not recommended)
  8. Save Changes.
Referrer-Policy options in HTTP Headers plugin
Choose the most secure policy for your needs

Test your results at SecurityHeaders.com. Learn more about Referrer-Policy at Mozilla.org.

Was this article helpful? Let us know!