Developer Tools

Referrer Policy Checker — Referrer-Policy Header Scan

Read checks.referrer — strict-origin-when-cross-origin, no-referrer, and other policy tokens

How to Use This Tool

Paste full HTTPS URL in the form.
Server fetches document response with SSRF-safe validation.
checks.referrer maps from referrer-policy response header.
Present earns eleven points; absent adds referrer to missing array.
recommendations suggest strict-origin-when-cross-origin or stricter tokens.
Compare policy tokens against analytics and affiliate link requirements.

About This Tool

Referrer-Policy controls how much URL path and query information browsers attach when users navigate away — overly permissive policies leak session tokens in query strings to third-party analytics and affiliate networks. VSPIC referrer-policy-checker calls security-headers with your URL, returning checks.referrer present flag, truncated policy value, score points, plus complete checks, grade, missing, recommendations, and headers map.

Review checks.referrer tokens against privacy requirements — strict-origin-when-cross-origin is a common balanced default. Full security-headers JSON identical to security-headers-checker — this landing page emphasizes referrer SEO for privacy and compliance workflows.

Common use cases

•Inspect HTTP headers and user-agent strings
•Analyze email headers for phishing investigation
•Generate strong passwords for staging environments

Why use VSPIC for ?

checks.referrer present and value for privacy audits.
Full header scan context — HSTS and CSP visible in same JSON.
recommendations for ticket-ready policy suggestions.
Grade summarizes overall header program maturity.
Raw headers for meta referrer policy tag cross-check.
Free instant scan on public pages.

Referrer-Policy tokens explained

no-referrer sends no referrer. strict-origin-when-cross-origin sends full URL same-origin, origin only cross-origin HTTPS, omits path on HTTP downgrade. unsafe-url sends full URL always — avoid on authenticated apps.

checks.referrer.value truncates for display — read full headers map when policies are long or duplicated.

Privacy and analytics tradeoffs

Marketing teams sometimes demand referrer path for campaign attribution — privacy teams prefer origin-only cross-origin. Document chosen policy in privacy impact assessments.

Missing Referrer-Policy defaults to browser legacy behavior — often more leakage than intended.

Relationship to security-headers-checker

referrer-policy-checker and sibling header pages call action security-headers. Canonical full audit lives on security-headers-checker; this page focuses checks.referrer for referrer-policy search intent.

API: GET /ip-tools/api/extended?action=security-headers&url=https://example.com

Meta tag versus header

Referrer policy may appear in HTML meta name=referrer — this fetch scores response header only. View page source or use browser devtools when header absent but meta tag exists.

Prefer HTTP header for consistency across all responses including non-HTML assets when applicable.

GDPR and compliance narratives

Referrer leakage can expose personal data in URL paths — document Referrer-Policy in DPIA appendices. checks.referrer.present false is finding for privacy reviews even when security grade tolerates missing fifteen-ish points.

Pair with cookie-analyzer when reviewing cross-site tracking surface holistically.

Deployment guidance

Set Referrer-Policy at CDN or web server for all HTML responses. Align with Permissions-Policy and CSP for defense in depth.

Test login and checkout URLs — paths often carry sensitive query parameters.

Reading missing and recommendations

missing includes referrer when absent. recommendations array surfaces suggested strict-origin-when-cross-origin text from backend scoring logic.

Re-run after deploy — referrer header regressions common during CDN template changes.

Authorized scanning

Scan your properties or authorized targets. Passive header read — no user data collected.

We do not permanently store scanned URLs.

Important notes & limitations

Scores header presence — does not audit every outbound link rel=noreferrer.
HTML meta referrer tags not parsed — response header only.
Single URL — not sitewide crawl for policy consistency.
Some analytics require looser policies — business tradeoffs apply.
Bots may receive different headers than browsers.

Frequently Asked Questions

Yes. VSPIC offers this Referrer-Policy checker at no cost with no account required. Results load in real time.

We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.

Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.

strict-origin-when-cross-origin balances privacy and analytics for many sites. Stricter no-referrer when path leakage is unacceptable.

security-headers with the url parameter.

No. It scores the Referrer-Policy response header. Check HTML meta separately if header is absent.

Same security-headers API. This page emphasizes checks.referrer for referrer-policy SEO.

Some tools need path or campaign query params in referrer. Test analytics after tightening policy.

Yes — path and query leakage exposes tokens and identifiers to third parties receiving Referer headers.

Next step for your check

Continue with security headers checker on VSPIC.

Security Headers Checker

Related Tools

Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.

Browse all tools Comparison guides

Trusted by Users Who Value Privacy

Always Free

No premium plan ever

100% Private

Files processed in browser

Instant Results

Convert in seconds

Works Everywhere

Any device, any OS