{"id":18737,"library":"referrer-policy","title":"referrer-policy","description":"Express/Connect middleware to set the Referrer-Policy HTTP header, part of the Helmet.js security suite. Version 1.2.0 is stable and works with Node >=4. Ships TypeScript definitions. Allows specifying one of the standard policy values (e.g., no-referrer, same-origin, strict-origin-when-cross-origin) or an array of policies for fallback. Lightweight and focused, with no external dependencies.","status":"active","version":"1.2.0","language":"javascript","source_language":"en","source_url":"git://github.com/helmetjs/referrer-policy","tags":["javascript","helmet","security","express","connect","referer","referrer","privacy","typescript"],"install":[{"cmd":"npm install referrer-policy","lang":"bash","label":"npm"},{"cmd":"yarn add referrer-policy","lang":"bash","label":"yarn"},{"cmd":"pnpm add referrer-policy","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Package is ESM-compatible via bundler; CommonJS require is still supported in Node <14 or without 'type':'module'.","wrong":"const referrerPolicy = require('referrer-policy')","symbol":"referrerPolicy","correct":"import referrerPolicy from 'referrer-policy'"},{"note":"Default export only; named import will fail.","wrong":"import { referrerPolicy } from 'referrer-policy'","symbol":"referrerPolicy","correct":"const referrerPolicy = require('referrer-policy')"},{"note":"TypeScript types use default export; namespace import works but not idiomatic.","wrong":"import * as referrerPolicy from 'referrer-policy'","symbol":"Default import (TypeScript)","correct":"import referrerPolicy from 'referrer-policy'"}],"quickstart":{"code":"import express from 'express';\nimport referrerPolicy from 'referrer-policy';\n\nconst app = express();\napp.use(referrerPolicy({ policy: 'same-origin' }));\n// Sets Referrer-Policy: same-origin\n\napp.listen(3000);","lang":"typescript","description":"Shows how to import and use the middleware with Express, setting the policy to 'same-origin'."},"warnings":[{"fix":"Pass a single policy string unless you intend fallback behavior (array).","message":"The 'policy' option must be a string or an array of strings. If an array, only the first valid policy is used by some browsers.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always validate policy against the allowed values listed in the spec.","message":"Setting policy to an empty string or invalid value will default to 'no-referrer' silently.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Explicitly set policy to avoid ambiguity.","message":"The 'policy' option default changed from 'no-referrer' to 'strict-origin-when-cross-origin'? Not applicable for this package; defaults to 'no-referrer'.","severity":"deprecated","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Run 'npm install referrer-policy' and ensure import path matches package name.","cause":"Package not installed or import path wrong.","error":"Error: Cannot find module 'referrer-policy'"},{"fix":"Use 'import referrerPolicy from 'referrer-policy''.","cause":"Using named import { referrerPolicy } instead of default import.","error":"TypeError: referrerPolicy is not a function"},{"fix":"Use one of the valid policies: 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin', 'unsafe-url'.","cause":"Passed an unsupported policy string.","error":"Invalid policy value: 'something-else'"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}