Referrer-Policy header builder
ClientSelect how much referrer information browsers attach to requests, then copy a Referrer-Policy response header for your CDN or origin server.
About Referrer-Policy builder
Pick a Referrer-Policy value and copy the HTTP header—control referrer leakage locally. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Choose how much referrer information browsers send on navigations and subresource requests—pair with CSP and Permissions-Policy.
?
strict-origin-when-cross-origin is a common default: full URL for same-origin, origin only for HTTPS→HTTPS cross-origin, and no referrer on downgrade.
Nearby workflows on Toolcore
- CSP header builder — Build a Content-Security-Policy header from directive fields—copy for nginx, Express, or CDN configs locally. before you trust a token, digest, or key material in production.
- Permissions-Policy builder — Build a Permissions-Policy header to allow or deny camera, geolocation, payment, and other browser features locally. before you trust a token, digest, or key material in production.
- HSTS header builder — Draft Strict-Transport-Security with max-age, includeSubDomains, and optional preload—local only. before you trust a token, digest, or key material in production.
- HTTP headers — Common request and response header fields—names, direction, and short summaries—filterable client-side. before you trust a token, digest, or key material in production.
Common use cases
- Reduce URL leakage to third-party analytics or ad tags on cross-origin requests.
- Match MDN or security review recommendations before editing server config.
- Document referrer behavior alongside CSP and Permissions-Policy drafts.
Common mistakes to avoid
Using unsafe-url on sensitive apps
unsafe-url sends full URLs even on HTTP downgrade paths—prefer strict-origin-when-cross-origin unless you need full referrers everywhere.
Expecting Referrer-Policy to block tracking
It controls the Referer header on navigations and requests—it does not replace cookie or CSP controls.
FAQ
Which value should I start with?
strict-origin-when-cross-origin is widely used: origin-only on cross-origin HTTPS, full URL on same-origin, and no referrer on downgrade.
Is data uploaded?
No. The header string is built entirely in your browser.
Common search terms
Phrases people search for that match this tool. See the full long-tail keyword index.
- referrer policy header builder
- strict origin when cross origin referrer
- no referrer http header online
- referrer policy nginx copy
More tools
Related utilities you can open in another tab—mostly client-side.
CSP header builder
ClientBuild a Content-Security-Policy header from directive fields—copy for nginx, Express, or CDN configs locally.
Permissions-Policy builder
ClientBuild a Permissions-Policy header to allow or deny camera, geolocation, payment, and other browser features locally.
HSTS header builder
ClientDraft Strict-Transport-Security with max-age, includeSubDomains, and optional preload—local only.
HTTP headers
ClientCommon request and response header fields—names, direction, and short summaries—filterable client-side.