New security header referrer policy wording

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Senior Member
Posts: 116
Joined: Tue Nov 26, 2013 9:44 pm

New security header referrer policy wording

Post by morganism » Mon Feb 20, 2017 10:38 pm

a new security header for browser referer, and some explanations behind choices. ... er-policy/


"Which header you will want or need to use will depend on your requirements but there are some that you should probably stay away from. The unsafe-url value kind of gives you a hint in the name and I wouldn't really advise anyone use it. Likewise if you're thinking of using origin or origin-when-cross-origin then I'd recommend looking at strict-origin and strict-origin-when-cross-origin instead. This will at least plug the little hole of leaking referrer data over an insecure connection. I don't have anything sensitive in the URL for my site so I will probably look at a value like no-referrer-when-downgrade just to keep referrer data off HTTP connections."
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0

Senior Member
Posts: 9306
Joined: Sat Aug 03, 2013 5:45 pm

Re: New security header referrer policy wording

Post by barbaz » Tue Feb 21, 2017 12:08 am

And the list of supporting browsers - ... patibility
*Always* check the changelogs BEFORE updating that important software!

Post Reply