In my tinkering with web development I ran into the following error on my production wordpress site for my company.
Basically, the security response header called “referrer-policy” is being set to an empty value by my webserver. I know this because the error would not be present nor would we see the response header at all. This type of header can contain the following information:
Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
I then needed to find out why my response header was empty – aka not being set by my webserver. In my scenario I am on a webserver that has an .htaccess file. This hidden file controls a lot of the behavior of the webserver from the top end. This is where you enable gzip compression, https redirection, protection of files and directory browsing, and setting cookies and headers. I then found this line:
Header set Referrer-Policy ""
The wordpress site I’m using has most of the .htaccess file generated by my caching plugin. I use, W3TC (W3 Total Cache) and sure enough there was a setting under the Browser Cache section.
After changing this setting, the error went away and the line in my .htaccess file was updated correctly. For more information on the actual values and what they mean you can check out this link. You can actually look at the headers for each individual request when loading a website. In Chrome developer tools, click on the network tab. Then, for example, click any listed file below. Each one represents an action and will be, for the most part, GET calls. A box should have loaded with the headers all listed.