How can I add Referrer-Policy header with .htaccess?
Before add Referrer-Policy header with htaccess,
First, you must activate rewrite module.

First, you must activate rewrite module.
Ctrl+v this code in terminal.
sudo a2enmod rewrite
If you finished the rewrite activating, You can use htaccess in apache.
Let's add Referrer-Policy header in apache with htaccess!
Header always set Referrer-Policy "same-origin"
Write in htaccess.
The additional option is
no-referrer
no-referrer-when-downgrade
(default)origin
origin-when-cross-origin
same-origin
strict-origin
strict-origin-when-cross-origin
unsafe-url
------------------------------------------------------------
no-referrer
- The
Referer
header will be omitted entirely. No referrer information is sent along with requests. no-referrer-when-downgrade
(default)- This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring
of the URL are sent as a referrer when the protocol security level
stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but
isn't sent to less secure destinations (HTTPS→HTTP).
There is effort from browsers in moving to a stricter default value, namely
strict-origin-when-cross-origin
(see https://github.com/whatwg/fetch/pull/952), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy. origin
- Only send the origin of the document as the referrer.
For example, a document athttps://example.com/page.html
will send the referrerhttps://example.com/
. origin-when-cross-origin
- Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
same-origin
- A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
strict-origin
- Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin
- Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
unsafe-url
- Send the origin, path, and query string when performing any request, regardless of security.
This explaination is mozilla's explaination
------------------------------------------------------------
Thanks for watching and write the commet to rewrite request or question
0 Comments