<zhead>

Meta Tags

referrer

Learn how to use the referrer meta tag to improve your site.

Specifies information sent as a Referrer header when the user navigates from the current page to an external link. It allows you to control the amount of referrer information included in requests.

Parameters

no-referrer
No referrer information is sent along with requests.
<meta name="referrer" content="no-referrer" />
no-referrer-when-downgrade
Default behavior where no referrer information is sent to HTTPS to HTTP requests.
<meta name="referrer" content="no-referrer-when-downgrade" />
origin
Only the origin of the document is sent as the referrer in all cases.
<meta name="referrer" content="origin" />
origin-when-cross-origin
The origin is sent as a referrer to other origins, full URL is sent for same origin requests.
<meta name="referrer" content="origin-when-cross-origin" />
same-origin
A full referrer is sent for same-origin requests but no referrer for cross-origin requests.
<meta name="referrer" content="same-origin" />
strict-origin
Only sends the origin as referrer to a HTTPS URL from HTTPS URL.
<meta name="referrer" content="strict-origin" />
strict-origin-when-cross-origin
Sends full referrer to same origin requests, only origin when the protocol security level stays the same.
<meta name="referrer" content="strict-origin-when-cross-origin" />
unsafe-url
Full URL is sent along with requests even in case of HTTPS to HTTP.
<meta name="referrer" content="unsafe-url" />
export type Referrer =
     /**
   * No referrer information is sent along with requests.
  **/
    'no-referrer'
    /**
   * Default behavior where no referrer information is sent to HTTPS to HTTP requests.
  **/
    'no-referrer-when-downgrade'
    /**
   * Only the origin of the document is sent as the referrer in all cases.
  **/
    'origin'
    /**
   * The origin is sent as a referrer to other origins, full URL is sent for same origin requests.
  **/
    'origin-when-cross-origin'
    /**
   * A full referrer is sent for same-origin requests but no referrer for cross-origin requests.
  **/
    'same-origin'
    /**
   * Only sends the origin as referrer to a HTTPS URL from HTTPS URL.
  **/
    'strict-origin'
    /**
   * Sends full referrer to same origin requests, only origin when the protocol security level stays the same.
  **/
    'strict-origin-when-cross-origin'
    /**
   * Full URL is sent along with requests even in case of HTTPS to HTTP.
  **/
    'unsafe-url'

Code Examples

<meta name="referrer" content="origin" />
Ensures that only the origin of the document is sent as referrer information, enhancing privacy without completely removing referrer data.
<meta name="referrer" content="strict-origin-when-cross-origin" />
Strikes a balance by sending full URLs for same-origin requests but only the origin when transitioning to a different origin with the same or higher security.
<meta name="referrer" content="no-referrer" />
While it maximizes privacy, using "no-referrer" can break analytics and other features that rely on referrer information.
<meta name="referrer" content="unsafe-url" />
The use of "unsafe-url" exposes potentially sensitive information across all navigations, including unsecured HTTP.

Recommendations

  • 01
    Set a Referrer Policy
    Without a "referrer" meta tag, browsers use "no-referrer-when-downgrade", potentially leaking data over unsecured connections.
  • 02
    Increasing Privacy
    Using "same-origin" can help prevent leaking sensitive information to third-party websites while navigating away from your site.

Related Documentation

Related Meta Tags

Content-Security-Policy

http-equiv

Defines which dynamic resources are allowed to load, thus helping to prevent cross-site scripting attacks, data injection, and other malicious attempts to exploit web page vulnerabilities.

<html lang="en">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://apis.google.com;">
</html>
Allows scripts, styles, and images to load from the site's own origin and scripts from Google APIs, tightening security by restricting external resources.

referrer

name

Specifies information sent as a Referrer header when the user navigates from the current page to an external link. It allows you to control the amount of referrer information included in requests.

<html lang="en">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="referrer" content="origin">
</html>
Ensures that only the origin of the document is sent as referrer information, enhancing privacy without completely removing referrer data.

refresh

http-equiv

Used to redirect the user to a new URL after a certain number of seconds, or to refresh the current page. While it can be useful for redirecting users or refreshing content, its usage is generally discouraged in favor of server-side redirects or JavaScript for a better user experience and performance.

<html lang="en">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta http-equiv="refresh" content="5;url=http://example.com">
</html>
Redirects the user to "http://example.com" after 5 seconds, giving a brief moment to read any important information before the redirect.