Issues

Security: Missing Secure Referrer-Policy Header

back to issues overview

Missing Secure Referrer-Policy Header

URLs missing no-referrer-when-downgrade, strict-origin-when-cross-origin, no-referrer or strict-origin policies in the Referrer-Policy header.

When using HTTPS, it’s important that the URLs do not leak in non-HTTPS requests. This can expose users to ‘man in the middle’ attacks, as anyone on the network can view them.

How to Analyse in the SEO Spider

Use the ‘Security’ tab and ‘Missing Secure Referrer-Policy Header’ filter to view these URLs and export all URLs using the ‘Export’ button.

What Triggers This Issue

This issue is triggered when a URL is missing no-referrer-when-downgrade, strict-origin-when-cross-origin, no-referrer or strict-origin‘ policies in the Referrer-Policy header.

For example:

Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: no-referrer
Referrer-Policy: strict-origin

How To Fix

Consider setting a referrer policy of strict-origin-when-cross-origin. It retains much of the referrer’s usefulness, while mitigating the risk of leaking data cross-origins.

Further Reading

Back to top