SEOLZ

Missing referrer policy

Quick win

Add a `Referrer-Policy: strict-origin-when-cross-origin` HTTP response header to every page so browsers control what referrer information is sent with requests.

What it is

When a visitor clicks a link or a browser makes a request from your store, it can automatically send a "Referer" header telling the destination site exactly which URL the user came from. The `Referrer-Policy` HTTP header lets you tell browsers how much of that URL to share — the full path, just your domain, or nothing at all. Without this header, browsers fall back to their own default behaviour, which can vary and may expose sensitive URL details (like search query strings, product IDs in cart URLs, or private discount codes) to third-party sites and analytics tools. Setting `Referrer-Policy: strict-origin-when-cross-origin` is the modern recommended default: it sends the full URL for same-site requests (useful for your own analytics) but only your domain name — never the full path — when linking to external sites.

Why it matters

Without a `Referrer-Policy` header, sensitive information embedded in your URLs — customer emails, session tokens, promo codes, or internal admin paths — can silently leak to every third-party resource your pages load (ad networks, CDN scripts, fonts, etc.). This is classified under OWASP A05:2021 Security Misconfiguration because it is a straightforward server setting that is simply missing. Beyond privacy and security exposure, Google's guidelines and security-focused ranking signals increasingly reward sites that demonstrate responsible data handling; a missing header also appears as a finding in security audits and PCI-DSS scans that payment processors may require you to pass. Fixing it takes under 30 minutes on most platforms and immediately closes the information-leakage risk for all visitors.

How to fix it

  1. Decide on the policy value — `strict-origin-when-cross-origin` is the recommended safe default for most stores: it sends the full URL to same-origin requests and only the origin (domain) to cross-origin requests, and nothing over HTTP.
  2. Add the header at the web-server or platform level so it is returned on every HTTP response, not just HTML pages — CSS, JS, image, and API responses should all carry it.
  3. If your platform does not allow arbitrary HTTP headers, use an HTML `<meta>` tag as a fallback: `<meta name="referrer" content="strict-origin-when-cross-origin">` placed inside `<head>` on every page template.
  4. Verify the header is present by opening your browser's DevTools (Network tab), reloading a page, clicking the document request, and checking the Response Headers section for `referrer-policy`.
  5. Confirm with a free online header-checker tool (e.g. securityheaders.com) that the header is returned and set to the correct value.
  6. Test your site's analytics and affiliate/referral tracking still work correctly — the recommended policy preserves referrer data for same-origin navigation and passes the origin to trusted cross-origin partners.
<meta name="referrer" content="strict-origin-when-cross-origin">

<!-- OR as an HTTP response header (preferred): -->
Referrer-Policy: strict-origin-when-cross-origin

Fix it on your platform

Pick your platform for the exact steps.

How to fix missing referrer policy on Shopify
  1. Shopify's hosted infrastructure does not let you set arbitrary HTTP response headers via the admin UI directly.
  2. The most practical approach is to inject the `<meta>` tag fallback: go to Online Store → Themes → Actions → Edit Code.
  3. Open `layout/theme.liquid` and add `<meta name="referrer" content="strict-origin-when-cross-origin">` immediately after the opening `<head>` tag.
  4. Save the file. Verify using browser DevTools → Network → select document → Response Headers (note: the meta tag approach controls browser behaviour even though it won't show as an HTTP header in DevTools; for the true HTTP header you need a Shopify Plus account with a custom edge/CDN layer or a reverse proxy like Cloudflare — see the Cloudflare step below).
  5. Shopify Plus stores using Cloudflare (or another CDN/WAF): add a Transform Rule or HTTP Response Header Rule to inject `Referrer-Policy: strict-origin-when-cross-origin` on all responses.
Full Shopify guide →Official Shopify docs ↗
How to fix missing referrer policy on Shopify Plus
  1. Use a Cloudflare (or similar CDN/WAF) HTTP Response Header Transform Rule to add `Referrer-Policy: strict-origin-when-cross-origin` to every response — this is the only way to set a true HTTP header on Shopify Plus storefronts.
  2. In Cloudflare: Rules → Transform Rules → Modify Response Header → Add Header → Name: `Referrer-Policy`, Value: `strict-origin-when-cross-origin`, apply to hostname matches your store domain.
  3. As a belt-and-suspenders measure, also add the `<meta>` tag to `layout/theme.liquid` as described for standard Shopify above.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix missing referrer policy on WooCommerce
  1. WooCommerce runs on WordPress/Apache or Nginx, so you set this at the server level.
  2. Apache: open your `.htaccess` file (in the WordPress root) and add inside the `<IfModule mod_headers.c>` block: `Header always set Referrer-Policy "strict-origin-when-cross-origin"`
  3. Nginx: open your server block config (e.g. `/etc/nginx/sites-available/yoursite.conf`) and add inside the `server {}` block: `add_header Referrer-Policy "strict-origin-when-cross-origin" always;` — then run `nginx -t` and reload.
  4. Alternatively, install the free WordPress plugin **Headers Security Advanced & HSTS WP** (or **Security Headers** plugin): go to WP Admin → Plugins → Add New, search for the plugin, install and activate, then enable `Referrer-Policy` and select `strict-origin-when-cross-origin` from the dropdown.
  5. Verify with browser DevTools or securityheaders.com.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix missing referrer policy on WordPress.org
  1. Install a security-headers plugin such as **Headers Security Advanced & HSTS WP** or **WP Headers** from WP Admin → Plugins → Add New.
  2. Activate the plugin, navigate to its settings page, find the Referrer-Policy option, and set it to `strict-origin-when-cross-origin`.
  3. Alternatively, add the header directly in `.htaccess` (Apache) or your Nginx server block config as described in the WooCommerce steps above.
  4. Verify with browser DevTools → Network tab → document response headers.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix missing referrer policy on BigCommerce
  1. BigCommerce's SaaS infrastructure does not expose raw HTTP response header configuration in the standard control panel.
  2. Inject the meta-tag fallback: go to Storefront → Themes → Advanced → Edit Theme Files → open `templates/layout/base.html` (or your active layout file).
  3. Add `<meta name="referrer" content="strict-origin-when-cross-origin">` immediately after `<head>`.
  4. Save and apply. For a true HTTP header, route your storefront behind Cloudflare and use a Transform Rule (Modify Response Header) to add `Referrer-Policy: strict-origin-when-cross-origin` on all responses.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix missing referrer policy on Wix
  1. Wix does not allow custom HTTP response headers to be configured through its editor or dashboard.
  2. As a partial mitigation, use Wix's **Velo (Welo Dev Mode)** to inject a meta tag: enable Dev Mode in the editor, open the `<head>` section via Site → SEO & Meta Tags → Additional Tags, and add: `<meta name="referrer" content="strict-origin-when-cross-origin">`.
  3. For a true HTTP-level header, you would need to proxy your Wix site through a service like Cloudflare and inject the header there via a Transform / Page Rule.
  4. Verify the meta tag is present in page source (View Source → search for 'referrer').
Full Wix guide →Official Wix docs ↗
How to fix missing referrer policy on Wix eCommerce
  1. Follow the same steps as standard Wix above — Wix eCommerce shares the same infrastructure and header-injection limitations.
  2. Add the meta tag via Site → SEO & Meta Tags → Additional Tags: `<meta name="referrer" content="strict-origin-when-cross-origin">`.
  3. Use Cloudflare as a proxy with a Modify Response Header rule for the true HTTP header.
Full Wix eCommerce guide →Official Wix eCommerce docs ↗
How to fix missing referrer policy on Squarespace
  1. Squarespace does not expose HTTP response header configuration in its admin panel.
  2. Inject the meta tag via Website → Pages → select any page → Page Settings → Advanced → Header Code injection (available on Business plan and above): add `<meta name="referrer" content="strict-origin-when-cross-origin">`.
  3. For site-wide injection, use Settings → Advanced → Code Injection → Header section to add the same meta tag once for all pages.
  4. For a true HTTP header, proxy through Cloudflare and add a Modify Response Header Transform Rule.
Full Squarespace guide →Official Squarespace docs ↗
How to fix missing referrer policy on Squarespace Commerce
  1. Same as Squarespace above — use Settings → Advanced → Code Injection → Header to add the meta tag site-wide: `<meta name="referrer" content="strict-origin-when-cross-origin">`.
  2. Cloudflare proxy + Modify Response Header rule is required for the real HTTP header.
Full Squarespace Commerce guide →Official Squarespace Commerce docs ↗
How to fix missing referrer policy on Webflow
  1. Webflow does not support custom HTTP response headers natively.
  2. Add the meta tag via the Project Settings: open your project → Project Settings → SEO tab → Extra `<head>` tags → paste `<meta name="referrer" content="strict-origin-when-cross-origin">` → Save and republish.
  3. For a true HTTP header, use Cloudflare (proxy your Webflow-published domain) → Rules → Transform Rules → Modify Response Header → add `Referrer-Policy: strict-origin-when-cross-origin`.
  4. Verify via browser DevTools or securityheaders.com after publishing.
Full Webflow guide →Official Webflow docs ↗
How to fix missing referrer policy on Webflow Commerce
  1. Same as Webflow above — Project Settings → SEO → Extra head tags → add the meta tag, republish.
  2. Add Cloudflare Modify Response Header rule for the true HTTP header.
Full Webflow Commerce guide →Official Webflow Commerce docs ↗
How to fix missing referrer policy on Adobe Commerce (Magento)
  1. For Nginx-hosted stores, open your virtual host config (e.g. `/etc/nginx/sites-available/magento.conf`) and add inside the `server {}` block: `add_header Referrer-Policy "strict-origin-when-cross-origin" always;` — then run `nginx -t && nginx -s reload`.
  2. For Apache-hosted stores, open `pub/.htaccess` or your VirtualHost config and add: `Header always set Referrer-Policy "strict-origin-when-cross-origin"`.
  3. Alternatively, add the header programmatically: create a custom module or edit `app/code/YourVendor/YourModule/Plugin/ResponsePlugin.php` to use `$response->setHeader('Referrer-Policy', 'strict-origin-when-cross-origin', true)` via a plugin on `Magento\Framework\App\Response\HttpInterface`.
  4. For Adobe Commerce Cloud (cloud.magento.com): add the header in `.magento.app.yaml` under the `web.headers` section or use Fastly (the built-in CDN) → Fastly Configuration → Response Object → add the header.
  5. Run `php bin/magento cache:flush` after any config change and verify with browser DevTools.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix missing referrer policy on Magento Open Source
  1. Follow the same server-level (Nginx or Apache) steps as Adobe Commerce above.
  2. For the programmatic approach, create a custom module with a plugin on the HTTP response object to set the header on every response.
  3. Flush cache: `php bin/magento cache:flush` and verify with browser DevTools.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix missing referrer policy on PrestaShop
  1. Open your `.htaccess` file in the PrestaShop root and add: `Header always set Referrer-Policy "strict-origin-when-cross-origin"` inside a `<IfModule mod_headers.c>` block.
  2. For Nginx, add `add_header Referrer-Policy "strict-origin-when-cross-origin" always;` in your server block and reload Nginx.
  3. Alternatively, edit `config/smarty.config.inc.php` or create an override/module that hooks into the `Header` smarty template to inject the `<meta>` tag into `<head>`.
  4. Verify with browser DevTools or securityheaders.com.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix missing referrer policy on OpenCart
  1. Edit your `.htaccess` file (Apache) and add: `Header always set Referrer-Policy "strict-origin-when-cross-origin"` within `<IfModule mod_headers.c>` block.
  2. For Nginx, add `add_header Referrer-Policy "strict-origin-when-cross-origin" always;` in the server block.
  3. Alternatively, edit `catalog/view/theme/your-theme/template/common/header.twig` (OpenCart 3+) to add the meta tag inside `<head>`: `<meta name="referrer" content="strict-origin-when-cross-origin">`.
  4. Verify with browser DevTools.
Full OpenCart guide →Official OpenCart docs ↗
How to fix missing referrer policy on BigCommerce for WP
  1. This plugin embeds BigCommerce products within a WordPress site, so the WordPress layer controls headers.
  2. Use a WordPress security headers plugin (e.g. Headers Security Advanced & HSTS WP) to set `Referrer-Policy: strict-origin-when-cross-origin`.
  3. Or add the header in `.htaccess` (Apache) / Nginx server block as described in the WooCommerce steps.
Full BigCommerce for WP guide →Official BigCommerce for WP docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find missing referrer policy — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Missing referrer policy?

When a visitor clicks a link or a browser makes a request from your store, it can automatically send a "Referer" header telling the destination site exactly which URL the user came from. The `Referrer-Policy` HTTP header lets you tell browsers how much of that URL to share — the full path, just your domain, or nothing at all. Without this header, browsers fall back to their own default behaviour, which can vary and may expose sensitive URL details (like search query strings, product IDs in cart URLs, or private discount codes) to third-party sites and analytics tools. Setting `Referrer-Policy: strict-origin-when-cross-origin` is the modern recommended default: it sends the full URL for same-site requests (useful for your own analytics) but only your domain name — never the full path — when linking to external sites.

Why does missing referrer policy matter?

Without a `Referrer-Policy` header, sensitive information embedded in your URLs — customer emails, session tokens, promo codes, or internal admin paths — can silently leak to every third-party resource your pages load (ad networks, CDN scripts, fonts, etc.). This is classified under OWASP A05:2021 Security Misconfiguration because it is a straightforward server setting that is simply missing. Beyond privacy and security exposure, Google's guidelines and security-focused ranking signals increasingly reward sites that demonstrate responsible data handling; a missing header also appears as a finding in security audits and PCI-DSS scans that payment processors may require you to pass. Fixing it takes under 30 minutes on most platforms and immediately closes the information-leakage risk for all visitors.

How do I fix missing referrer policy?

Add a `Referrer-Policy: strict-origin-when-cross-origin` HTTP response header to every page so browsers control what referrer information is sent with requests.

Authoritative references

Related Security (OWASP) issues