How to configure HTTP header: Referrer-Policy?


Is there any place (for instance Lifetime) where I can configure Referrer-Policy HTTP header for all OS applications?

More info here about the HTTP header:

I have looked to OS documentation: "Apply Content Security Policy" but it doesn't seem to be able to config this header.

Best regards,


Hi João,

You can change your web.config file to send HTTP Security Headers using Factory Configuration forge component.

You can see here an example. 

Kind Regards,


Facing the same issue. I need to configure the; 'referrer-policy' and the 'permissions-policy'. 

I found this part online regarding adding the permissions-policy to the header:

Permissions-Policy: geolocation=(self ""), microphone=()

Can someone explain step-by-step where to add this?





For permissions-policy and referrer-policy add this as new configuration and assign it to the espaces.

<?xml version="1.0" encoding="UTF-8"?>

<xsl:stylesheet version="1.0" xmlns:xsl="">

    <xsl:output method="xml" indent="yes" encoding="UTF-8"/> 

    <xsl:template match="@*|node()">


            <xsl:apply-templates select="@*|node()"/>




    <xsl:template match="/configuration/system.webServer/httpProtocol/customHeaders">


            <xsl:apply-templates select="@*|node()"/>

            <add name="Referrer-Policy" value="no-referrer" />

            <add name="Permissions-Policy" value="no-referrer" />





Like João Marques tried to explain.

You can follow the steps explain here  and then add the attached shared configuration to the form.


Don't forget do publish module after appling the settings in Factory Configuration.

You can check in network if the Header was applied as you expected.


Security Headers.txt
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.