The Referrer-policy
HTTP header controls the amount of referrer information included in requests.
Incorrectly configuring this header can lead to exposure of private data on the referrer's side.
The possible values for this directive can be found here on MDN.
The unsafe-url
directive sends the origin, path and query string with every request object.
This may lead to leakage of private information.
import helmet from 'helmet'
import express from 'express'
const app = express()
// One of: unsafe-url, no-referrer-when-downgrade
app.use(helmet.referrerPolicy({ policy: 'unsafe-url' })
import helmet from 'helmet'
import express from 'express'
const app = express()
// One of: no-referrer, origin, same-origin, strict-origin, origin-when-cross-origin
app.use(helmet.referrerPolicy({ policy: 'no-referrer' })