Headers

Referrer-Policy

Control how much referrer information should be included with requests.

The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.

Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      referrerPolicy: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          referrerPolicy: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by referrerPolicy: false.

Default value

By default, Nuxt Security will set the following value for this header.

Referrer-Policy: no-referrer

Available values

The referrerPolicy header can be configured with following values.

referrerPolicy: 'no-referrer'
  | 'no-referrer-when-downgrade'
  | 'origin'
  | 'origin-when-cross-origin'
  | 'same-origin'
  | 'strict-origin'
  | 'strict-origin-when-cross-origin'
  | 'unsafe-url'
  | false

no-referrer

The Referer header will be omitted: sent requests do not include any referrer information.

no-referrer-when-downgrade

Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).

origin

Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.

origin-when-cross-origin

When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).

same-origin

Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests.

strict-origin

Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

strict-origin-when-cross-origin (default)

Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

Note: This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.

unsafe-url

Send the origin, path, and query string when performing any request, regardless of security.

⚠️ This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

Origin-Agent-Cluster

Instructs the browser to prevent synchronous scripting access between same-site cross-origin pages.

Strict-Transport-Security

Inform browsers that the site should only be accessed using HTTPS.