HTTP Headers WordPress Plugin – Referrer-Policy

The HTTP Headers plugin can set a referrer-policy header to control what information is sent through the referer header with URI requests. This prevents URLs with sensitive information from showing up in web analytics software logs. For example, clicking links on a password reset page could send user credentials within the referrer.

Below we cover adding Referrer-Policy in WordPress with the HTTP Headers plugin.

Get more performance and security features with our NGINX-powered WordPress Hosting.

Referrer Policy

  1. Install, and activate, the HTTP Headers plugin using your WordPress dashboard or WP-CLI.
  2. Log in to your WordPress dashboard.
  3. On the left, hover over Settings and click HTTP Headers.
  4. Click the Security (0/15) button.
  5. Click Edit beside Referrer-Policy.
  6. Click the On button.
  7. Choose a policy option from the drop-down:
    empty string – No preference
    no-referrer – No referrer info sent
    no-referrer-when-downgrade – Full URL sent unless HTTPS to HTTP page (Default behavior if no policy specified)
    same-origin – Only origin (root domain – e.g. example.com instead of example.com/page-1) for within the same site
    origin – Only origin
    strict-origin – Origin only when protocol security level is the same (e.g. HTTPS > HTTPS)
    origin-when-cross-origin – Full URL for within the same site, but only origin for others
    strict-origin-when-cross-origin – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS > HTTPS), and no info from HTTPS to HTTP
    unsafe-url – Full URL (not recommended)
  8. Save Changes.
Referrer-Policy options in HTTP Headers plugin
Choose the most secure policy for your needs

Test your results at SecurityHeaders.com. Learn more about Referrer-Policy at Mozilla.org.

Was this article helpful? Let us know!