Which policy is the safe default?

`strict-origin-when-cross-origin`. It sends the full URL for same-origin (your analytics still works), only the origin for cross-origin HTTPS, and nothing when downgrading to HTTP. This is the implicit default in modern browsers if you don't set a policy.

Why is `unsafe-url` flagged?

It sends the full URL (including query string) to every destination, even on HTTPS→HTTP downgrades. Query strings often contain tokens, ids and personal info — `unsafe-url` leaks them to the network and to whatever ad/analytics/embed lives at the destination.

Referrer-Policy Header Builder

Network

The Referrer-Policy header controls how much of your URL is included in the `Referer` request header when users click links or your page makes subresource requests. This builder lets you pick one of the eight standard policies and see exactly what gets sent for the three scenarios that matter: a request to the same origin, a cross-origin request over HTTPS, and a cross-origin request that downgrades to HTTP. Both the response-header and the `<meta>` form are emitted so you can apply the policy from the server or inside a CDN-cached HTML.

—

PolicyFull URL on same-origin, origin on cross-origin HTTPS, nothing on downgrade. Modern default.

Response header

Referrer-Policy: strict-origin-when-cross-origin

Meta tag form

<meta name="referrer" content="strict-origin-when-cross-origin">

What gets sent

Scenario	Referer sent
Same origin (HTTPS→HTTPS, same host)	https://app.example.com/page?id=42
Cross-origin (HTTPS→HTTPS, different host)	https://api.other.com
Downgrade (HTTPS→HTTP)	(no header)

Apply the header on every HTML response. The `<meta>` form is useful when you can't control headers (static hosting that doesn't let you set them, etc.).

How to use

Pick a policy. The default for modern browsers is `strict-origin-when-cross-origin` — leak only the origin when leaving HTTPS for HTTPS, and nothing on a downgrade.
Read the three example rows to see exactly what the browser would send.
Copy the response header (preferred) or the `<meta>` tag (works inside an HTML page when you can't control headers).

Frequently asked questions

Which policy is the safe default?: `strict-origin-when-cross-origin`. It sends the full URL for same-origin (your analytics still works), only the origin for cross-origin HTTPS, and nothing when downgrading to HTTP. This is the implicit default in modern browsers if you don't set a policy.
Why is `unsafe-url` flagged?: It sends the full URL (including query string) to every destination, even on HTTPS→HTTP downgrades. Query strings often contain tokens, ids and personal info — `unsafe-url` leaks them to the network and to whatever ad/analytics/embed lives at the destination.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00