The HTTP Referrer-Policy header controls how much referrer information is included in requests when a user navigates from one page to another.

Why is this an issue?

Unsafe Referrer-Policy values such as no-referrer-when-downgrade or unsafe-url cause the browser to send the full URL—including query parameters—in the Referer header to destination servers. When URLs contain sensitive data such as session tokens, user identifiers, or form inputs submitted via HTTP GET, those values are leaked to any server that receives a request from the page. This includes third-party services such as analytics or advertising platforms embedded on the page.

What is the potential impact?

When the referrer policy is too permissive, sensitive information embedded in page URLs—such as form inputs or session identifiers—can be leaked to third-party servers through the Referer header. An attacker with access to server logs or the ability to intercept network traffic may recover this sensitive data.

How to fix it

Code examples

The following code is vulnerable because the referrer policy is set to no-referrer-when-downgrade, which sends the full URL—including any sensitive query parameters—to third-party servers.

Noncompliant code example

const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.referrerPolicy({
    policy: 'no-referrer-when-downgrade' // Noncompliant
  })
);

Compliant solution

const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.referrerPolicy({
    policy: 'no-referrer'
  })
);

Resources

Documentation

• developer.mozilla.org - Referrer-Policy
• developer.mozilla.org - Referer header: privacy and security concerns
• npmjs.com - helmet

Standards

• OWASP - Top 10 2021 Category A1 - Broken Access Control
• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
• CWE - CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor