Referrer-Policy Header Checker

Checks whether a website returns a Referrer-Policy response header and whether the effective policy is safe.

Why it matters:

• The referrer can leak sensitive URL paths/query params to third parties.
• A modern default for many sites is strict-origin-when-cross-origin.

What the Actor does

For each URL it:

1. Fetches response headers (HEAD first, optional GET fallback)
2. Parses Referrer-Policy (supports multiple comma-separated policies)
3. Determines the effective policy (right-most valid value)
4. Flags risky values like unsafe-url or missing headers (optional)

Input

• Start URLs (startUrls): Request List Sources format
• Request strategy (requestStrategy): HEAD-only, GET-only, or HEAD→GET fallback
• Expected effective policy (expectedPolicy): ANY (no strict check) or a specific policy
• Warn on missing (warnOnMissing): warn if header is missing

Plus: maxUrls, timeoutSecs, followRedirects, maxRedirects, maxConcurrency, and proxyConfiguration.

Output

Dataset (per-URL results)

Each item includes:

• startUrl, finalUrl, statusCode, redirected, checkedAt, usedMethod
• referrerPolicyRaw, policies, effectivePolicy
• score (0–100 heuristic), issues, warningCount, errorCount, ok

Key-value store

• SUMMARY: aggregate counts and top issue codes
• REPORT: same as summary (structured JSON)

Example input

{
  "startUrls": [{"url":"https://example.com"}],
  "maxUrls": 1,
  "timeoutSecs": 20,
  "requestStrategy": "HEAD_THEN_GET",
  "expectedPolicy": "ANY",
  "warnOnMissing": true,
  "maxConcurrency": 2,
  "proxyConfiguration": {"useApifyProxy": false}
}

Quick start

Store page: https://apify.com/scrappy_garden/referrer-policy-header-checker

Paste this into Input and click Run:

{
  "startUrls": [
    {
      "url": "https://example.com/"
    }
  ],
  "proxyConfiguration": {
    "useApifyProxy": false
  }
}

Outputs (what you get)

• Dataset: Dataset items typically include fields like: startUrl, finalUrl, statusCode, referrerPolicyRaw, policies, effectivePolicy, score, ok, warningCount, errorCount.
• Key-value store: REPORT, SUMMARY

Tips (trust + predictable results)

• Start with 1–3 URLs to validate behavior, then scale up.
• If a target blocks requests, enable Proxy and/or slow down concurrency in Input.
• Use the SUMMARY / REPORT keys (when present) for automation pipelines and monitoring.

Related actors

• security-headers-checker (https://apify.com/scrappy_garden/security-headers-checker)
• hsts-header-checker (https://apify.com/scrappy_garden/hsts-header-checker)
• cache-control-checker (https://apify.com/scrappy_garden/cache-control-checker)
• content-type-header-validator (https://apify.com/scrappy_garden/content-type-header-validator)

Search keywords

referrer policy header checker, referrer-policy header checker - validate referrer leakage policy, website audit, seo, http headers