referrer-policy

1.2.0 verified Sat Apr 25 auth: no javascript

Express/Connect middleware to set the Referrer-Policy HTTP header, part of the Helmet.js security suite. Version 1.2.0 is stable and works with Node >=4. Ships TypeScript definitions. Allows specifying one of the standard policy values (e.g., no-referrer, same-origin, strict-origin-when-cross-origin) or an array of policies for fallback. Lightweight and focused, with no external dependencies.

Common errors

error Error: Cannot find module 'referrer-policy' ↓

cause Package not installed or import path wrong.

fix

Run 'npm install referrer-policy' and ensure import path matches package name.

error TypeError: referrerPolicy is not a function ↓

cause Using named import { referrerPolicy } instead of default import.

fix

Use 'import referrerPolicy from 'referrer-policy''.

error Invalid policy value: 'something-else' ↓

cause Passed an unsupported policy string.

fix

Use one of the valid policies: 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin', 'unsafe-url'.

Warnings

gotcha The 'policy' option must be a string or an array of strings. If an array, only the first valid policy is used by some browsers. ↓

fix Pass a single policy string unless you intend fallback behavior (array).

gotcha Setting policy to an empty string or invalid value will default to 'no-referrer' silently. ↓

fix Always validate policy against the allowed values listed in the spec.

deprecated The 'policy' option default changed from 'no-referrer' to 'strict-origin-when-cross-origin'? Not applicable for this package; defaults to 'no-referrer'. ↓

fix Explicitly set policy to avoid ambiguity.

Install

npm install referrer-policy

yarn add referrer-policy

pnpm add referrer-policy

Imports

referrerPolicy
wrong
```
const referrerPolicy = require('referrer-policy')
```
correct
```
import referrerPolicy from 'referrer-policy'
```
Package is ESM-compatible via bundler; CommonJS require is still supported in Node <14 or without 'type':'module'.

referrerPolicy

wrong

import { referrerPolicy } from 'referrer-policy'

correct

const referrerPolicy = require('referrer-policy')

Default export only; named import will fail.

Default import (TypeScript)
wrong
```
import * as referrerPolicy from 'referrer-policy'
```
correct
```
import referrerPolicy from 'referrer-policy'
```
TypeScript types use default export; namespace import works but not idiomatic.

Quickstart

Shows how to import and use the middleware with Express, setting the policy to 'same-origin'.

import express from 'express';
import referrerPolicy from 'referrer-policy';

const app = express();
app.use(referrerPolicy({ policy: 'same-origin' }));
// Sets Referrer-Policy: same-origin

app.listen(3000);