Let’s say you’re visiting Twitter and click on a link in a tweet. When you navigate to the new website, it will know that you came from Twitter, because Twitter and other websites add something called a referrer (usually misspelled ‘referer’) header. This is how most analytics applications are able to know where your users came from. And while its great to have this information to optimize your website, it might be nice to protect your users privacy as well. The Referrer-Policy header allows several options that can help you control the amount of information you give away as a referrer.

You can add this to Nginx using:

add_header 'Referrer-Policy' 'strict-origin';

Which header you use should depend on your use-case. Personally, the strict-origin policy seems best, because it is a nice combination of protecting users’ privacy and being polite to other websites by allowing them to do basic analytics. It would also prevent leaking referrer information in the event of a protocol downgrade.

Resources