Does Referrer-Policy break OAuth redirects?

Rarely. OAuth flows rely on explicit redirect_uri parameters, not Referer. If you strip everything with no-referrer, debug third-party integrations case by case.

meta referrer vs header?

Prefer the HTTP header for the whole origin. HTML meta tags are per-document fallbacks.

Referrer-Policy

Controls how much URL information is sent in the Referer header to other sites.

When your page loads third-party analytics, fonts, or users click outbound links, the browser may send a Referer showing the full path and query string of the page they came from. Referrer-Policy (note the historic spelling) shrinks or removes that signal—per document, or inherited by subresources depending on policy.

Why developers care

Internal URLs, reset tokens in query strings, and PII in paths routinely leak to vendors you did not mean to trust with that detail. Compliance teams care; so should you. A sane default like strict-origin-when-cross-origin keeps same-origin diagnostics while stripping paths on cross-origin requests.

Example

Referrer-Policy: strict-origin-when-cross-origin

# Stricter — no referrer on downgrades:
Referrer-Policy: no-referrer-when-downgrade

Spec

W3C Referrer Policy

Audit headers with HeadersFixer →