How to fix missing referrer policy on Magento Open Source

Steps for Magento Open Source

1. Follow the same server-level (Nginx or Apache) steps as Adobe Commerce above.
2. For the programmatic approach, create a custom module with a plugin on the HTTP response object to set the header on every response.
3. Flush cache: `php bin/magento cache:flush` and verify with browser DevTools.

<meta name="referrer" content="strict-origin-when-cross-origin">

<!-- OR as an HTTP response header (preferred): -->
Referrer-Policy: strict-origin-when-cross-origin

What is missing referrer policy?

When a visitor clicks a link or a browser makes a request from your store, it can automatically send a "Referer" header telling the destination site exactly which URL the user came from. The `Referrer-Policy` HTTP header lets you tell browsers how much of that URL to share — the full path, just your domain, or nothing at all. Without this header, browsers fall back to their own default behaviour, which can vary and may expose sensitive URL details (like search query strings, product IDs in cart URLs, or private discount codes) to third-party sites and analytics tools. Setting `Referrer-Policy: strict-origin-when-cross-origin` is the modern recommended default: it sends the full URL for same-site requests (useful for your own analytics) but only your domain name — never the full path — when linking to external sites.

Without a `Referrer-Policy` header, sensitive information embedded in your URLs — customer emails, session tokens, promo codes, or internal admin paths — can silently leak to every third-party resource your pages load (ad networks, CDN scripts, fonts, etc.). This is classified under OWASP A05:2021 Security Misconfiguration because it is a straightforward server setting that is simply missing. Beyond privacy and security exposure, Google's guidelines and security-focused ranking signals increasingly reward sites that demonstrate responsible data handling; a missing header also appears as a finding in security audits and PCI-DSS scans that payment processors may require you to pass. Fixing it takes under 30 minutes on most platforms and immediately closes the information-leakage risk for all visitors.

See the complete Missing referrer policy guide for every platform and the full background.