P2Issue #28

Missing Secure refrerrer policy header

ā“ What does it mean?

ā“ What does it mean? The Referrer-Policy header controls how much referrer information (the URL of the previous page) is passed when a user clicks a link from your site. If this header is missing, browsers may default to sending full referrer URLs, which can: Leak sensitive information (query strings, user IDs, tracking tokens). Reduce security & privacy. Cause SEO performance inconsistencies (Google may not handle duplicate parameterized URLs properly).

šŸšØ Why is it important for SEO?

šŸšØ Why is it bad for SEO & Performance? Security Risk Without a Referrer-Policy, sensitive data in query strings (e.g., session IDs, search queries) can leak to third-party sites. Mixed HTTPS/HTTP Issues On HTTPS pages linking to HTTP, the browser may strip the referrer, causing referrer data loss ā†’ analytics & attribution errors. Analytics & Tracking Inaccuracy Missing or inconsistent referrer data ā†’ SEO teams lose visibility into traffic sources. Google Trust & Ranking Signals Google favors sites with proper security headers (like HSTS, CSP, Referrer-Policy). Missing it may weaken site trust signals.

āœ… How to Fix It

āœ… How to Fix It Add a secure Referrer-Policy header at the server level (Apache, Nginx, Cloudflare, etc.). Recommended secure options: Best balance (recommended): Referrer-Policy: strict-origin-when-cross-origin šŸ‘‰ Sends full referrer on same-site requests, only origin on cross-site (privacy + SEO safe). Strictest (maximum privacy): Referrer-Policy: no-referrer šŸ‘‰ Sends no referrer at all (but may break analytics attribution). Other common options: no-referrer-when-downgrade (default in many browsers, but less secure) origin (sends only origin, no path/query) unsafe-url (not recommended ā€“ exposes full URL always).

āŒ Bad Example

šŸ“Œ Example āŒ Bad (missing header): HTTP/1.1 200 OK Content-Type: text/html

āœ… Good Example

āœ… Good (secure header applied): HTTP/1.1 200 OK Content-Type: text/html Referrer-Policy: strict-origin-when-cross-origin

āš” Result

āš” Result of Fixing Improved site security & privacy Accurate referrer data for SEO & analytics Stronger trust signals for Google Compliance with modern browser security standards