The HTTP Headers plugin can set a referrer-policy header to control what information is sent through the
referer header with URI requests. This prevents URLs with sensitive information from showing up in web analytics software logs. For example, clicking links on a password reset page could send user credentials within the referrer.
Below we cover adding Referrer-Policy in WordPress with the HTTP Headers plugin.
Get more performance and security features with our NGINX-powered WordPress Hosting.
- Install, and activate, the HTTP Headers plugin using your WordPress dashboard or WP-CLI.
- Log in to your WordPress dashboard.
- On the left, hover over Settings and click HTTP Headers.
- Click the Security (0/15) button.
- Click Edit beside Referrer-Policy.
- Click the On button.
- Choose a policy option from the drop-down:
empty string – No preference
no-referrer – No referrer info sent
no-referrer-when-downgrade – Full URL sent unless HTTPS to HTTP page (Default behavior if no policy specified)
same-origin – Only origin (root domain – e.g. example.com instead of example.com/page-1) for within the same site
origin – Only origin
strict-origin – Origin only when protocol security level is the same (e.g. HTTPS > HTTPS)
origin-when-cross-origin – Full URL for within the same site, but only origin for others
strict-origin-when-cross-origin – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS > HTTPS), and no info from HTTPS to HTTP
unsafe-url – Full URL (not recommended)
- Save Changes.