No Referrer-Policy header

When someone clicks a link on your site to visit another website, the browser automatically tells that other site which page the visitor came from. The Referrer-Policy header controls how much of that information is shared. This header is currently missing. Without a Referrer-Policy, outbound links from your site send the full page URL — including any sensitive path segments or query parameters — to every external site your visitors navigate to. This can leak internal page names, tracking parameters, or session tokens. Add the response header Referrer-Policy: strict-origin-when-cross-origin to your site. This is the modern recommended default and shares only your domain name (not the full URL) with external sites.