Referrer-Policy Errors — Missing Referrer Data and Privacy Header Issues
About Referrer-Policy Errors
Fix Referrer-Policy configuration errors causing missing referrer data in analytics, broken affiliate tracking, and cross-origin referrer leaks. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Referrer-Policy controls how much referrer information is sent with requests from your page. Browsers default to 'strict-origin-when-cross-origin' which strips the path for cross-origin requests. Overly strict policies (no-referrer) break analytics, affiliate tracking, and some API integrations. Overly permissive policies (unsafe-url) leak full URLs including query parameters to third parties. The policy can be set via HTTP header, meta tag, or per-element rel/referrerpolicy attributes. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Referrer-Policy: no-referrer preventing analytics from seeing traffic sources. Policy stripping query parameters that contain affiliate or campaign tracking IDs. HTTPS-to-HTTP downgrade causing the referrer to be stripped entirely (default behavior). Security middleware adding 'no-referrer' globally without considering analytics requirements. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Use 'strict-origin-when-cross-origin' as a balanced default — sends origin cross-origin, full URL same-origin. For analytics and affiliate links, use 'no-referrer-when-downgrade' to keep referrer on HTTPS-to-HTTPS. Set per-link policies using the referrerpolicy attribute for specific outbound links. Audit your policy's impact: check GA4 referral data for gaps before and after policy changes. Use the meta tag <meta name='referrer' content='strict-origin-when-cross-origin'> as a page-level fallback. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Which Referrer-Policy should I use?
strict-origin-when-cross-origin is the recommended default. It sends the full URL for same-origin requests and only the origin (not path/query) for cross-origin requests.
Overview
Fix Referrer-Policy configuration errors causing missing referrer data in analytics, broken affiliate tracking, and cross-origin referrer leaks.
Key Details
- Referrer-Policy controls how much referrer information is sent with requests from your page
- Browsers default to 'strict-origin-when-cross-origin' which strips the path for cross-origin requests
- Overly strict policies (no-referrer) break analytics, affiliate tracking, and some API integrations
- Overly permissive policies (unsafe-url) leak full URLs including query parameters to third parties
- The policy can be set via HTTP header, meta tag, or per-element rel/referrerpolicy attributes
Common Causes
- Referrer-Policy: no-referrer preventing analytics from seeing traffic sources
- Policy stripping query parameters that contain affiliate or campaign tracking IDs
- HTTPS-to-HTTP downgrade causing the referrer to be stripped entirely (default behavior)
- Security middleware adding 'no-referrer' globally without considering analytics requirements
Steps
- 1Use 'strict-origin-when-cross-origin' as a balanced default — sends origin cross-origin, full URL same-origin
- 2For analytics and affiliate links, use 'no-referrer-when-downgrade' to keep referrer on HTTPS-to-HTTPS
- 3Set per-link policies using the referrerpolicy attribute for specific outbound links
- 4Audit your policy's impact: check GA4 referral data for gaps before and after policy changes
- 5Use the meta tag <meta name='referrer' content='strict-origin-when-cross-origin'> as a page-level fallback