How to fix missing referrer policy on BigCommerce

Steps for BigCommerce

1. BigCommerce's SaaS infrastructure does not expose raw HTTP response header configuration in the standard control panel.
2. Inject the meta-tag fallback: go to Storefront → Themes → Advanced → Edit Theme Files → open `templates/layout/base.html` (or your active layout file).
3. Add `<meta name="referrer" content="strict-origin-when-cross-origin">` immediately after `<head>`.
4. Save and apply. For a true HTTP header, route your storefront behind Cloudflare and use a Transform Rule (Modify Response Header) to add `Referrer-Policy: strict-origin-when-cross-origin` on all responses.

<meta name="referrer" content="strict-origin-when-cross-origin">

<!-- OR as an HTTP response header (preferred): -->
Referrer-Policy: strict-origin-when-cross-origin

What is missing referrer policy?

When a visitor clicks a link or a browser makes a request from your store, it can automatically send a "Referer" header telling the destination site exactly which URL the user came from. The `Referrer-Policy` HTTP header lets you tell browsers how much of that URL to share — the full path, just your domain, or nothing at all. Without this header, browsers fall back to their own default behaviour, which can vary and may expose sensitive URL details (like search query strings, product IDs in cart URLs, or private discount codes) to third-party sites and analytics tools. Setting `Referrer-Policy: strict-origin-when-cross-origin` is the modern recommended default: it sends the full URL for same-site requests (useful for your own analytics) but only your domain name — never the full path — when linking to external sites.

Without a `Referrer-Policy` header, sensitive information embedded in your URLs — customer emails, session tokens, promo codes, or internal admin paths — can silently leak to every third-party resource your pages load (ad networks, CDN scripts, fonts, etc.). This is classified under OWASP A05:2021 Security Misconfiguration because it is a straightforward server setting that is simply missing. Beyond privacy and security exposure, Google's guidelines and security-focused ranking signals increasingly reward sites that demonstrate responsible data handling; a missing header also appears as a finding in security audits and PCI-DSS scans that payment processors may require you to pass. Fixing it takes under 30 minutes on most platforms and immediately closes the information-leakage risk for all visitors.

See the complete Missing referrer policy guide for every platform and the full background.