The HTTP Headers plugin can set a referrer-policy header to control what information is sent through the <code>referer</code> header with URI requests. This prevents URLs with sensitive information from showing up in web analytics software logs. For example, clicking links on a password reset page could send user credentials within the referrer.
Below we cover adding Referrer-Policy in WordPress with the HTTP Headers plugin.
Get more performance and security features with our NGINX-powered WordPress Hosting.
- Install, and activate, the HTTP Headers plugin using your WordPress dashboard or WP-CLI.
- Log in to your WordPress dashboard.
- On the left, hover over Settings and click HTTP Headers.
- Click the Security (0/15) button.
- Click Edit beside Referrer-Policy.
- Click the On button.
- Choose a policy option from the drop-down:
empty string – No preference
no-referrer – No referrer info sent
no-referrer-when-downgrade – Full URL sent unless HTTPS to HTTP page (Default behavior if no policy specified)
same-origin – Only origin (root domain – e.g. example.com instead of example.com/page-1) for within the same site
origin – Only origin
strict-origin – Origin only when protocol security level is the same (e.g. HTTPS > HTTPS)
origin-when-cross-origin – Full URL for within the same site, but only origin for others
strict-origin-when-cross-origin – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS > HTTPS), and no info from HTTPS to HTTP
unsafe-url – Full URL (not recommended)
- Save Changes.