Referrer-Policy

What it is

A response header (or per-element attribute) that controls how much of the source URL the browser sends in the Referer header on outbound navigations and subresource loads.

Why it matters

Default behaviour leaks full URLs — including query params and tokens — to every third-party request. Tightening this is one line of config and closes a real privacy gap.

Who it applies to

Every site that ever sends an outbound request.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

Related standards

See also

Security headers , Permissions-Policy

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

• Content Security Policy Level 3 1 shared factor Security The deployable CSP today. script-src, object-src, and base-uri are the three controls that actually stop XSS — the rest is optional.
• Cross-Origin isolation (COOP / COEP / CORP) 1 shared factor Security Three response headers that together unlock SharedArrayBuffer and high-resolution timers — and incidentally close a class of cross-origin side-channel leaks.
• HTTP Strict Transport Security 1 shared factor Security One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
• ISO/IEC 27001:2022 1 shared factor Security International gold standard for an Information Security Management System. The 2022 revision restructures the Annex A controls to align with ISO 27002:2022.
• NIST Cybersecurity Framework 2.0 1 shared factor Security Voluntary, US-government-blessed taxonomy for cybersecurity programs. The 2.0 revision (Feb 2024) added a 'Govern' function alongside the original Identify / Protect / Detect / Respond / Recover.

Other references

• guidance MDN — Referrer-Policy