Adding a referrer to the headers for request for assets on the Media Library

“System Information”

  • Strapi Version: 4.1.3
  • Operating System: Mac OS
  • Database: Postgres
  • Node Version: v16.14.0
  • NPM Version: 8.3.1

Is there a way to add the referrer header for requests for image assets from the Media Library?

When I click on Media Library and when Strapi loads images, the referrer does not appear in the request headers for those assets that are uploaded to AWS S3 with the plugin “strapi-provider-upload-aws-s3-plus-cdn”: “1.0.6”.

It looks like the Referrer Policy is set to no-referrer, is there a way to update this to pass along the referrer in the request headers? I believe in previous verisons of Strapi (ie 3.6.7) the referrer was being passed in the header of the request for images.

Request Headers

GET /image.png?width=880&height=736 HTTP/1.1
Connection: keep-alive
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

The reason why I want to add the referrer to the header is because I am using AWS WAF to prevent hot-linking images.

If there isn’t a way to update the request headers, do you have any other recommendations from preventing hot-linking of the image assets?

Thank you,

You need to create a global middleware 'global::header' (where header is middleware name) and add it in config/middlewares.js

Middleware content ./src/middlewares/header.js

module.exports = (config, { strapi }) => {
    return (context, next) => {
        context.set('referrer-policy', 'origin');
        return next();

Same issue in Strapi v4.6.0. My solution is the following:

Admin webpages output Referrer-Policy: no-referrer header due to the default config of strapi::security middleware. So we need to update its referrerPolicy in ./config/middlewares.js file:

// before
module.exports = [

// before
module.exports = [
		name: 'strapi::security',
		config: {
			referrerPolicy: {
				policy: 'origin-when-cross-origin',