Within your site, you may want to restrict the amount of information that is sent when a user clicks on a link. This is known as the HTTP Referrer.
To assist with restricting the amount of information that is sent when a link is clicked, the Referrer-Policy header exists. This header simply instructs the visitor’s browser to limit the referrer information within the request to only what is defined.
In this article, we’ll show you how to use the Security Headers plugin to customize a Referrer-Policy header to restrict the information that is sent when clicking a link on your site.
Using the Security Headers Plugin to Set and Customize Your HTTP Referrer Policy
- Start by logging into your WordPress admin.
- Next, install and activate the Security Headers plugin.
- To access the new options that are provided by the Security Headers plugin, hover over Settings, then click on HTTP Headers.
- Inside the plugin’s options page, look for a drop-down labeled HTTP Referrer Policy and select your desired referrer policy.
If you’re not sure which is best for your site, here’s a quick overview of the different options available to you:
- no-referrer: This option will omit the Referrer-Policy header from being set by the plugin. By selecting this option, the user’s browser will define how they want to handle referrer data.
- no-referrer-when-downgrade: This option will pass on referrer information to all destinations, except when the connection is downgraded from HTTPS to HTTP. Nearly all browsers will use this behavior by default.
- origin: This option only sends the originating site, without any additional path information. For example, if a link was clicked on https://example.com/some-page/, the referrer would be sent as https://example.com/.
- origin-when-cross-origin: This option will send the entire path when clicking on internal links, but only send the originating site when going to external links.
- same-origin: The option will only send referrer information when going to internal links. All external link clicks will omit referrer information.
- strict-origin: This option is a combination of no-referrer-when-downgrade and origin. If a link is clicked, it will only send the originating site. If that link is to a HTTP destination, no referrer will be sent.
- strict-origin-when-cross-origin: This option is similar to the /origin-when-cross-origin/, but with the added functionality of no-referrer-when-downgrade. Internal links will pass on the full referrer, external links will only pass on the originating site, and if the link is going to a HTTP destination, no referrer will be sent.
- unsafe-url: The option will always send the full URL within the referrer, regardless of the destination (not recommended).
- Once you’ve selected your HTTP Referrer Policy, just be sure to scroll down to the bottom of the page and click the Save Changes button to save your settings.