Referrer Policy

In short: the Referrer Policy module can control the behavior of the Referer header by setting the Referrer-Policy header.

The attack

The Referer HTTP header is typically set by web browsers to tell a server where it’s coming from. For example, if you click a link on example.com/index.html that takes you to wikipedia.org, Wikipedia’s servers will see Referer: example.com.

This can have privacy implications—websites can see where users are coming from.

The header

The new Referrer-Policy HTTP header lets authors control how browsers set the Referer header.

For example, when supported browsers see this header, they will set no Referer header at all:

Referrer-Header: no-referrer

There are other directives, too. same-origin, for example, will only send the Referer header for pages on the same origin.

Referrer-Header: same-origin

You can see the full list of directives on the specification.

Browser support for this header is mixed.

The code

Helmet’s Referrer Policy module is a relatively simple middleware that will set the Referrer-Policy header.

You can use this module as part of Helmet:

// Make sure you run "npm install helmet" to get the Helmet package.
var helmet = require('helmet')

// Sets "Referrer-Policy: same-origin".
app.use(helmet.referrerPolicy({ policy: 'same-origin' }))

You can also use it as a standalone module:

// Make sure you run "npm install referrer-policy" to get the referrer-policy package.
var referrerPolicy = require('referrer-policy')

// Sets "Referrer-Policy: no-referrer".
app.use(referrerPolicy({ policy: 'no-referrer' }))

Once you’ve required it, you can use it in your apps:

// Sets "Referrer-Policy: same-origin".
app.use(helmet.referrerPolicy({ policy: 'same-origin' }))

// Sets "Referrer-Policy: unsafe-url".
app.use(helmet.referrerPolicy({ policy: 'unsafe-url' }))

// Sets "Referrer-Policy: no-referrer".
app.use(helmet.referrerPolicy())

This header is not included in the default Helmet bundle.