Missing or leaky Referrer-Policy
Missing or leaky Referrer-Policy: what it means, why it may matter, and how to remediate with external verification using ExposureGrid.
The problem
Missing or leaky Referrer-Policy: externally visible configuration may increase risk depending on how your site handles sessions, content, and third-party dependencies.
Why it matters
Impact depends on threat model and data sensitivity. Treat findings as signals to validate - avoid assuming immediate compromise.
How to check
Combine spot checks (browser devtools, curl) with ExposureGrid scans for route and edge coverage. Compare runs over time after changes.
How to fix
Plan incremental fixes, test in staging, and monitor for breakage. Prefer small deploys with rollback paths.
- Identify owners for the affected component (app, edge, DNS, or mail).
- Make a minimal change and validate in staging or a canary route.
- Deploy with monitoring and rollback readiness.
- Re-run ExposureGrid to confirm the external signal improved.
Run a scan to verify this fix on your domain
Use the same public scanner as the homepage — results honor your plan tier.
Scan your domainWhat ExposureGrid checks
ExposureGrid correlates this signal with other external findings so you can prioritize what to fix first and verify improvements after deploy.
FAQ
- Why does "Missing or leaky Referrer-Policy" appear in ExposureGrid?
- Scanners observe externally visible signals. A finding means our rules matched - validate severity and applicability in your environment.
- Could this be a false positive?
- Yes, depending on context and coverage limits. Especially for heuristic, partial, or pattern-based checks, corroborate with manual review.
- What should I do after changing configuration?
- Re-run a scan to confirm the external signal changed, then enable monitoring where your plan supports it.
ExposureGrid continuously monitors these issues and alerts you before they become exploitable.