When a user clicks a link, browsers send a Referer header to the destination containing the URL they came from. The Referrer-Policy header lets you control how much of that URL is shared — the full path, just the origin, or nothing at all.

Why it matters: URLs can contain sensitive data (search terms, user IDs, session tokens). Sending them to third-party destinations is a privacy and security risk. Google now recommends strict-origin-when-cross-origin as a sensible default.

Quick tips:

Use strict-origin-when-cross-origin as your baseline — it sends the origin for cross-origin requests but the full URL for same-origin requests.
Avoid unsafe-url, which sends the full URL to all destinations regardless of security.
You can override the policy per-link with the referrerpolicy HTML attribute.

See also: HSTS, CSP, Permissions Policy.