How To Fix Website Security Headers Referrer-Policy Using .Htaccess File

To use the Referrer-Policy header with one of the available values, you can add the following code to your .htaccess file:


# Set Referrer-Policy header to "no-referrer"
Header set Referrer-Policy "no-referrer"

# Set Referrer-Policy header to "no-referrer-when-downgrade"
Header set Referrer-Policy "no-referrer-when-downgrade"

# Set Referrer-Policy header to "origin"
Header set Referrer-Policy "origin"

# Set Referrer-Policy header to "unsafe-url"
Header set Referrer-Policy "unsafe-url"

# Set Referrer-Policy header to "same-origin"
Header set Referrer-Policy "same-origin"

Here's what each value means:

  • "no-referrer": The browser will not send a referrer header in any situation.
  • "no-referrer-when-downgrade": The browser will send a referrer header for same-origin requests, but not for cross-origin requests unless the protocol changes from HTTPS to HTTP.
  • "origin": The browser will send a referrer header that includes the origin of the requesting page (i.e., the scheme, host, and port), but not the full URL.
  • "unsafe-url": The browser will send the full URL in the referrer header for all requests.
  • "same-origin": The browser will send a referrer header for same-origin requests, but not for cross-origin requests.

You can set multiple Referrer-Policy values in one line using a comma-separated list. Here's an example:


Header set Referrer-Policy "no-referrer, no-referrer-when-downgrade, origin, unsafe-url, same-origin"

This will set the Referrer-Policy header to include all available values in the order they are listed, separated by commas. The browser will choose the appropriate policy based on the situation.

Note that not all browsers support multiple Referrer-Policy values, so it's a good idea to test your website in different browsers to ensure that it is working as expected.

You can choose the appropriate value for your website's security and privacy requirements.

Comments

Leave a Reply