Loading...
TechWebDev

WordPress Failed to Set Referrer Policy Response Headers – W3 Total Cache

chrome developer tools view response headers

In my tinkering with web development I ran into the following error on my production wordpress site for my company.

Failed to set referrer policy: The value '' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.
Failed to set referrer policy: The value ” is not one of ‘no-referrer’, ‘no-referrer-when-downgrade’, ‘origin’, ‘origin-when-cross-origin’, ‘same-origin’, ‘strict-origin’, ‘strict-origin-when-cross-origin’, or ‘unsafe-url’. The referrer policy has been left unchanged.

 

Basically, the security response header called “referrer-policy” is being set to an empty value by my webserver. I know this because the error would not be present nor would we see the response header at all. This type of header can contain the following information:

 

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

I then needed to find out why my response header was empty – aka not being set by my webserver. In my scenario I am on a webserver that has an .htaccess file. This hidden file controls a lot of the behavior of the webserver from the top end. This is where you enable gzip compression, https redirection, protection of files and directory browsing, and setting cookies and headers. I then found this line:

Header set Referrer-Policy ""

The wordpress site I’m using has most of the .htaccess file generated by my caching plugin. I use, W3TC (W3 Total Cache) and sure enough there was a setting under the Browser Cache section.

 

After changing this setting, the error went away and the line in my .htaccess file was updated correctly. For more information on the actual values and what they mean you can check out this link. You can actually look at the headers for each individual request when loading a website. In Chrome developer tools, click on the network tab. Then, for example, click any listed file below. Each one represents an action and will be, for the most part, GET calls. A box should have loaded with the headers all listed.

chrome dev tools network section
chrome dev tools network section
chrome developer tools view response headers
chrome developer tools view response headers
2 comments
Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar