Fix Guide
How to Fix a Missing Referrer-Policy Header
The response does not define how much referrer information browsers may send to other sites.
Recommended fix
Add a Referrer-Policy header that limits cross-origin leakage while preserving useful analytics.
This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.
Developer task
Set Referrer-Policy: strict-origin-when-cross-origin at the CDN or server layer.
Implementation steps
How to apply this fix
- Choose a policy that balances privacy and analytics, such as strict-origin-when-cross-origin.
- Set the Referrer-Policy response header at the CDN, Nginx, Apache, or app layer.
- Confirm analytics and referral attribution still work as expected.
- Re-scan to verify the Referrer-Policy header is present.
Verify
Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.
Related guides