How to fix missing referrer policy on Squarespace

Steps for Squarespace

1. Squarespace does not expose HTTP response header configuration in its admin panel.
2. Inject the meta tag via Website → Pages → select any page → Page Settings → Advanced → Header Code injection (available on Business plan and above): add `<meta name="referrer" content="strict-origin-when-cross-origin">`.
3. For site-wide injection, use Settings → Advanced → Code Injection → Header section to add the same meta tag once for all pages.
4. For a true HTTP header, proxy through Cloudflare and add a Modify Response Header Transform Rule.

<meta name="referrer" content="strict-origin-when-cross-origin">

<!-- OR as an HTTP response header (preferred): -->
Referrer-Policy: strict-origin-when-cross-origin

What is missing referrer policy?

When a visitor clicks a link or a browser makes a request from your store, it can automatically send a "Referer" header telling the destination site exactly which URL the user came from. The `Referrer-Policy` HTTP header lets you tell browsers how much of that URL to share — the full path, just your domain, or nothing at all. Without this header, browsers fall back to their own default behaviour, which can vary and may expose sensitive URL details (like search query strings, product IDs in cart URLs, or private discount codes) to third-party sites and analytics tools. Setting `Referrer-Policy: strict-origin-when-cross-origin` is the modern recommended default: it sends the full URL for same-site requests (useful for your own analytics) but only your domain name — never the full path — when linking to external sites.

Without a `Referrer-Policy` header, sensitive information embedded in your URLs — customer emails, session tokens, promo codes, or internal admin paths — can silently leak to every third-party resource your pages load (ad networks, CDN scripts, fonts, etc.). This is classified under OWASP A05:2021 Security Misconfiguration because it is a straightforward server setting that is simply missing. Beyond privacy and security exposure, Google's guidelines and security-focused ranking signals increasingly reward sites that demonstrate responsible data handling; a missing header also appears as a finding in security audits and PCI-DSS scans that payment processors may require you to pass. Fixing it takes under 30 minutes on most platforms and immediately closes the information-leakage risk for all visitors.

See the complete Missing referrer policy guide for every platform and the full background.