How To Setting an HTTP Referrer-Policy Headers in WordPress

How To Setting an HTTP Referrer-Policy Headers in WordPress. In WordPress, how to set an HTTP Referrer-Policy header. You may want to limit the amount of data sent when a user clicks on a link on your site. The HTTP Referrer is a term used to describe this information. Following are the given method of How To Setting an HTTP Referrer-Policy Headers in WordPress.

Referrer-Policy Headers

The Referrer-Policy header exists to help limit the amount of information that is sent when a link is clicked. Simply, this header tells the visitor’s browser to only include the information defined in the request.

Security Headers plugin

Using the Security Headers plugin, we’ll show you how to configure a Referrer-Policy header to limit the information sent when a user clicks on a link on your site.

Using the Security Headers Plugin to Set and Customize Your HTTP Referrer Policy

  1. Start by logging into your WordPress admin.
  2. Next, install and activate the Security Headers plugin.

To access the new options that are provided by the Security Headers plugin, hover over Settings, then click on HTTP Headers.


Look for a drop-down titled HTTP Referrer Policy in the plugin’s preferences page and select your preferred referrer policy. Here’s a quick rundown of the various alternatives accessible to you if you’re not sure which is ideal for your site: 

The plugin will not set the Referrer-Policy header if this option is selected. Browsers can specify how they want to handle referrer data by selecting this option.

In this case, all destinations will receive the referrer information even if the connection is degraded from HTTPS to HTTP, as this option specifies. By default, most browsers will include this feature.

No more information is sent with this choice. As an example, if someone clicked on, the referrer would be”

when-crossing-origin: This option will send the whole path when clicking on internal links, but just send the originating site when going to external links.

same-origin: All external and internal links will not be tracked by this setting. Whenever a user clicks on an external link, the referrer information will be omitted.

A mix of no-referrer-when-downgrading and origin, this option is called strict-origin. When someone clicks on a link, it only sends the user to the original source. For an HTTP destination, there will be no referrer sent if the link is clicked.

It is identical to the /origin when cross-origin/, but with the added functionality of no-referrer when downgrading. Strict-origin-when-cross origin: An HTTP destination, however, does not send the referrer; instead, only the originating site’s URL is transmitted as the link’s referrer.

unsafe-url: The option will always send the full URL within the referrer, regardless of the destination (not recommended).

Make sure to click the Save Changes button at the bottom of the page once you’ve selected your HTTP Referrer Policy.

No 3rd-Party Plugins Required to Add Security Headers to WordPress

Adding Security Headers to WordPress Without 3rd-Party Plugins

Many WordPress websites already have too many plugins to keep track of, making it difficult to keep up with them. What if you don’t need all the features of a full-featured plugin to add security headers?

For WordPress sites not hosted at Pagely, we will show you how to add security headers from Atomic or, if you prefer, a simple drop-in plugin.

Encrypting ARES Gateway-Level Security Headers (Recommended for Pagely Sites)

For optimal performance, Pagely customers should use the ARES gateway to set these headers. See our post on how to set response headers in Atomic for more information.

A sample of a WordPress security header (Works on All WordPress Sites)

WordPress sites may easily add headers by just adding a few lines of code.

As an illustration, consider the following few lines:

function pagely_security_headers( $headers ) {
    $headers['X-XSS-Protection'] = '1; mode=block';
    $headers['X-Content-Type-Options'] = 'nosniff';
    $headers['X-Content-Security-Policy'] = 'default-src \'self\'; script-src \'self\';';

    return $headers;

add_filter( 'wp_headers', 'pagely_security_headers' );

All we’re doing in the example above is using an existing WordPress hook to handle a few more security headers. With the use of the wp headers filter, we can quickly add or override any headers before to the page’s display.

Developing a WordPress Header Drop-In Plugin

Single-use plugins are nearly always the best choice when it comes to altering the basic WordPress behavior. This will keep your customizations intact even if you switch themes or perform an upgrade.

When it comes to altering security headers, a simple drop-in plugin is ideal. Without having to use a security headers plugin with all of its bells and whistles, you can quickly and easily make a few adjustments that will last across plugins and themes.

Create a file called page-security-headers.php in your wp-content with the following content to turn this solution into a WordPress plugin:

Plugin Name: Pagely Security Headers
Plugin URI:
Description: A drop-in plugin by Pagely to add security headers.
Author: JeffMatson, Pagely
Version: 0.1
Author URI:

function pagely_security_headers( $headers ) {
    $headers['X-XSS-Protection'] = '1; mode=block';
    $headers['X-Content-Type-Options'] = 'nosniff';
    $headers['X-Content-Security-Policy'] = 'default-src \'self\'; script-src \'self\';';

    return $headers;

add_filter( 'wp_headers', 'pagely_security_headers' );

Just change it to fit the headers you want, and then activate it. It’s as simple as that.

%d bloggers like this: