How to fix missing referrer policy on Shopify

Steps for Shopify

1. Shopify's hosted infrastructure does not let you set arbitrary HTTP response headers via the admin UI directly.
2. The most practical approach is to inject the `<meta>` tag fallback: go to Online Store → Themes → Actions → Edit Code.
3. Open `layout/theme.liquid` and add `<meta name="referrer" content="strict-origin-when-cross-origin">` immediately after the opening `<head>` tag.
4. Save the file. Verify using browser DevTools → Network → select document → Response Headers (note: the meta tag approach controls browser behaviour even though it won't show as an HTTP header in DevTools; for the true HTTP header you need a Shopify Plus account with a custom edge/CDN layer or a reverse proxy like Cloudflare — see the Cloudflare step below).
5. Shopify Plus stores using Cloudflare (or another CDN/WAF): add a Transform Rule or HTTP Response Header Rule to inject `Referrer-Policy: strict-origin-when-cross-origin` on all responses.

<meta name="referrer" content="strict-origin-when-cross-origin">

<!-- OR as an HTTP response header (preferred): -->
Referrer-Policy: strict-origin-when-cross-origin

What is missing referrer policy?

When a visitor clicks a link or a browser makes a request from your store, it can automatically send a "Referer" header telling the destination site exactly which URL the user came from. The `Referrer-Policy` HTTP header lets you tell browsers how much of that URL to share — the full path, just your domain, or nothing at all. Without this header, browsers fall back to their own default behaviour, which can vary and may expose sensitive URL details (like search query strings, product IDs in cart URLs, or private discount codes) to third-party sites and analytics tools. Setting `Referrer-Policy: strict-origin-when-cross-origin` is the modern recommended default: it sends the full URL for same-site requests (useful for your own analytics) but only your domain name — never the full path — when linking to external sites.

Without a `Referrer-Policy` header, sensitive information embedded in your URLs — customer emails, session tokens, promo codes, or internal admin paths — can silently leak to every third-party resource your pages load (ad networks, CDN scripts, fonts, etc.). This is classified under OWASP A05:2021 Security Misconfiguration because it is a straightforward server setting that is simply missing. Beyond privacy and security exposure, Google's guidelines and security-focused ranking signals increasingly reward sites that demonstrate responsible data handling; a missing header also appears as a finding in security audits and PCI-DSS scans that payment processors may require you to pass. Fixing it takes under 30 minutes on most platforms and immediately closes the information-leakage risk for all visitors.

See the complete Missing referrer policy guide for every platform and the full background.