Referrer-Policy
The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({
// Global
security: {
headers: {
referrerPolicy: <OPTIONS>,
},
},
// Per route
routeRules: {
'/custom-route': {
security: {
headers: {
referrerPolicy: <OPTIONS>,
},
},
}
}
})
You can also disable this header by referrerPolicy: false
.
Default value
By default, Nuxt Security will set the following value for this header.
Referrer-Policy: no-referrer
Available values
The referrerPolicy
header can be configured with following values.
referrerPolicy: 'no-referrer'
| 'no-referrer-when-downgrade'
| 'origin'
| 'origin-when-cross-origin'
| 'same-origin'
| 'strict-origin'
| 'strict-origin-when-cross-origin'
| 'unsafe-url'
| false
no-referrer
The Referer header will be omitted: sent requests do not include any referrer information.
no-referrer-when-downgrade
Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
origin
Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin
When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).
same-origin
Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests.
strict-origin
Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
strict-origin-when-cross-origin
(default)
Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
unsafe-url
Send the origin, path, and query string when performing any request, regardless of security.