Referrer-Policy and missing referrers
Referrer-Policy is the web standard that controls how much of the referrer a browser sends with a request. Site owners set it via an HTTP header or a meta tag, and modern browsers default to a privacy-leaning value. Understanding the policy values explains why so many referrers arrive trimmed to the origin or missing entirely.
How the policy controls disclosure
Referrer-Policy is set by the referring page, either as a Referrer-Policy HTTP response header or an equivalent meta tag, and the browser enforces it on outbound navigations and requests. Values range from sending the full URL to sending only the origin, only on same-origin, or nothing at all.
Modern browsers commonly default to strict-origin-when-cross-origin, which sends the full URL same-origin but only the origin (no path or query) when crossing to another site. That default alone explains a large share of 'reduced' referrers.
- Set via HTTP header or meta tag on the referring page
- Values range from full URL to origin-only to none
- Modern default is strict-origin-when-cross-origin
Why referrers go missing
Stricter values such as no-referrer send nothing, and same-origin sends a referrer only within your own site. When a referring site chooses one of these, your analytics receives little or no referrer, and the visit can fall into direct.
None of this is a bug; it is the standard working as designed. MDN's Referrer-Policy reference lists each value and its effect, and is the authoritative description.
- no-referrer sends nothing
- same-origin omits the referrer cross-site
- Trimmed or absent referrers are by design
How it appears in analytics and logs
A trimmed referrer (origin only) or a missing one is often the direct result of a Referrer-Policy value, not a tracking failure. The policy is set by the referring site and enforced by the browser.
Diagnostic use case
Understand how Referrer-Policy values control referrer disclosure and why a privacy-leaning default trims or removes the referrer.
What WebmasterID can help detect
WebmasterID treats policy-trimmed and policy-stripped referrers as expected, reporting the resulting gaps honestly rather than inventing a source the policy intentionally withheld.
Common mistakes
- Reading policy-trimmed referrers as a measurement failure.
- Expecting a full referrer URL across origins under modern defaults.
- Trying to reconstruct a referrer the policy intentionally withheld.
Privacy and accuracy notes
Referrer-Policy exists to protect users by limiting what is leaked across sites. WebmasterID reads whatever the policy allows the browser to send and never tries to reconstruct a withheld referrer.
Related pages
- HTTPS-to-HTTP referrer loss
A long-standing browser rule removes the referrer when navigating from a secure HTTPS page to an insecure HTTP page, to avoid leaking a secure URL into an unencrypted request. With most of the web on HTTPS this is less common than it once was, but it still explains specific cases of missing referrers — and it is a reason to serve your own site over HTTPS.
- Direct traffic: what it really means
Direct traffic is the bucket analytics uses when no referrer is available. It includes genuine type-ins and bookmarks, but also a large share of visits whose referrer was stripped — app opens, HTTPS-to-HTTP transitions, shorteners, and privacy settings. Treating 'direct' as a single intent is the classic analytics mistake.
- Privacy-first analytics
Measure traffic within the limits Referrer-Policy sets, without reconstructing withheld data.
Sources and verification notes
- MDN — Referrer-PolicyAuthoritative list of policy values and their effects.
- MDN — Referer header
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.