If you’re wondering why you only see the homepage when filtering by a referrer instead of the full pathname, it’s likely because the referrer’s referrer policy is set to exclude the full pathname. This policy determines the level of detail shared and what we can show in your referrers list on your dashboard — whether it’s the full URL or just the origin. The referrer policy can be defined either by the referrer themselves, or if a referrer policy isn’t explicitly set, it will default to the policy enforced by the visitor’s browser. The referrer policy is found in the Referer header (yes, it was indeed misspelled by the creators) within a page request.

What does “Origin” mean?

Before we delve into the list of referrer policies, it’s worth understanding what the word “Origin” refers to. The origin is made up of three components from the URL:
  • Scheme: The protocol that is used, such as HTTP orHTTPS
  • Hostname: The domain and any subdomain if relevant (i.e., usefathom.com or app.usefathom.com)
  • Port: By default this is 80 for HTTP or 443 for HTTPS and is therefore not shown in most URLs. Typically, you’ll only see the port if you’re developing a site locally (i.e., http://localhost:3000)
Two URLs have the same origin if they both contain the same scheme, hostname, and port (if specified). Here’s some examples showing what is considered same-origin and cross-origin: Same-origin: https://usefathom.com/about -> https://usefathom.com/security https://usefathom.com/about -> https://usefathom.com/blog/how-we-built-our-referral-program Cross-origin: https://usefathom.com/ -> https://app.usefathom.com/ https://usefathom.com/about -> https://example.com/ https://usefathom.com/about -> http://example.com/

What are the Referrer Policies?

  • no-referrer: The Referrer will not be sent.
  • no-referrer-when-downgrade: The Referer header will be sent to the same-origin, but it won’t be sent to a less secure destination (i.e., from HTTPS to HTTP).
  • origin: Only send the origin (scheme, host, and port) of the referring page.
  • origin-when-cross-origin: Send the full URL for same-origin requests (i.e., example.com -> example.com ), but only send the origin for cross-origin requests (i.e., example.com -> usefathom.com).
  • same-origin: Send the full URL when the request is same-origin, and send only the origin for cross-origin requests.
  • strict-origin: Send the origin of the referring page when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS), but do not send it to a less secure destination.
  • strict-origin-when-cross-origin: Send the full URL when the protocol security level stays the same, but send only the origin for cross-origin requests.
  • unsafe-url: The full URL will be sent in all cases.

What are the default referrer policies for each major browser?

  • Chrome: strict-origin-when-cross-origin (current version: 120)
  • Safari: strict-origin-when-cross-origin (current version: 17.2)
  • Firefox: strict-origin-when-cross-origin (current version: 118)
  • Edge: strict-origin-when-cross-origin (current version: 120)
  • Brave: strict-origin-when-cross-origin (current version: 1.61)

Why can I not see Google keywords when filtering by Google as a referrer?

The answer is a simple one: Google do not include search terms/keywords in the referrer. They require an integration with their Search Console in order for us to import the keyword data. In the future we will look to integrate data from Search Console.

How to set a referrer policy for your own site

If you want to control the referrer policy of your site, it’s important to consider the privacy and security implications. However, if your site, for example, is a blog, a marketing site, or a personal site, you’re likely not passing any personal or sensitive information via your site’s URLs. To set a referrer for your site, you will need to add a <meta> referrer tag to the <head> of your site. Here’s an example: 
<meta name="referrer" content="no-referrer-when-downgrade"/>
Select a referrer policy from the list above and place it between the content attribute quotes.

What can I do to capture where more of my traffic is originating from?

You can’t control other site’s referrer policies, unfortunately. However, there is something you can do to with the links that you do control — include UTM parameters in those links. For instance, links that point to your site from emails, social media sites, and ads — sources that often lack useful referrer data — can all contain UTM parameters. That will enable you to identify if any visitors have visited your site through these links, and even attribute conversions back to those UTMs if you use events to collect data on conversions.