How to fix missing referrer policy on Wix

Steps for Wix

1. Wix does not allow custom HTTP response headers to be configured through its editor or dashboard.
2. As a partial mitigation, use Wix's **Velo (Welo Dev Mode)** to inject a meta tag: enable Dev Mode in the editor, open the `<head>` section via Site → SEO & Meta Tags → Additional Tags, and add: `<meta name="referrer" content="strict-origin-when-cross-origin">`.
3. For a true HTTP-level header, you would need to proxy your Wix site through a service like Cloudflare and inject the header there via a Transform / Page Rule.
4. Verify the meta tag is present in page source (View Source → search for 'referrer').

<meta name="referrer" content="strict-origin-when-cross-origin">

<!-- OR as an HTTP response header (preferred): -->
Referrer-Policy: strict-origin-when-cross-origin

What is missing referrer policy?

When a visitor clicks a link or a browser makes a request from your store, it can automatically send a "Referer" header telling the destination site exactly which URL the user came from. The `Referrer-Policy` HTTP header lets you tell browsers how much of that URL to share — the full path, just your domain, or nothing at all. Without this header, browsers fall back to their own default behaviour, which can vary and may expose sensitive URL details (like search query strings, product IDs in cart URLs, or private discount codes) to third-party sites and analytics tools. Setting `Referrer-Policy: strict-origin-when-cross-origin` is the modern recommended default: it sends the full URL for same-site requests (useful for your own analytics) but only your domain name — never the full path — when linking to external sites.

Without a `Referrer-Policy` header, sensitive information embedded in your URLs — customer emails, session tokens, promo codes, or internal admin paths — can silently leak to every third-party resource your pages load (ad networks, CDN scripts, fonts, etc.). This is classified under OWASP A05:2021 Security Misconfiguration because it is a straightforward server setting that is simply missing. Beyond privacy and security exposure, Google's guidelines and security-focused ranking signals increasingly reward sites that demonstrate responsible data handling; a missing header also appears as a finding in security audits and PCI-DSS scans that payment processors may require you to pass. Fixing it takes under 30 minutes on most platforms and immediately closes the information-leakage risk for all visitors.

See the complete Missing referrer policy guide for every platform and the full background.