Referrer-Policy

Enabled Control how much referrer information should be included with requests.


The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.

ℹ Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      referrerPolicy: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          referrerPolicy: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by referrerPolicy: false.

Default value

By default, Nuxt Security will set following value for this header.

Referrer-Policy: no-referrer

Available values

The referrerPolicy header can be configured with following values.

referrerPolicy: 'no-referrer'
  | 'no-referrer-when-downgrade'
  | 'origin'
  | 'origin-when-cross-origin'
  | 'same-origin'
  | 'strict-origin'
  | 'strict-origin-when-cross-origin'
  | 'unsafe-url'
  | false

no-referrer

The Referer header will be omitted: sent requests do not include any referrer information.

no-referrer-when-downgrade

Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).

origin

Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.

origin-when-cross-origin

When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).

same-origin

Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests.

strict-origin

Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

strict-origin-when-cross-origin (default)

Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

ℹ Note: This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.

unsafe-url

Send the origin, path, and query string when performing any request, regardless of security.

⚠️ This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.