HTTP Header: Referrer Policy
The attack​
The Referrer Policy module can control the behavior of the Referer header by setting the Referrer-Policy header.
The Referer HTTP header is typically set by web browsers to tell a server where it’s coming from. For example, if you click a link on example.com/index.html that takes you to wikipedia.org, Wikipedia’s servers will see Referer: example.com.
This can have privacy implications—websites can see where users are coming from.
The header​
The new Referrer-Policy HTTP header lets authors control how browsers set the Referer header.
For example, when supported browsers see this header, they will set no Referer header at all:
Referrer-Policy: no-referrer
There are other directives, too. same-origin, for example, will only send the Referer header for pages on the same origin.
Referrer-Policy: same-origin
You can see the full list of directives on the specification and support in all browsers
The code​
const helmet = require('helmet')
// Sets "Referrer-Policy: same-origin".
app.use(helmet.referrerPolicy({ policy: 'same-origin' }))