diff --git a/src/base/http/types.h b/src/base/http/types.h
index 464e53920..a38e3d328 100644
--- a/src/base/http/types.h
+++ b/src/base/http/types.h
@@ -52,6 +52,7 @@ namespace Http
     const char HEADER_HOST[] = "host";
     const char HEADER_ORIGIN[] = "origin";
     const char HEADER_REFERER[] = "referer";
+    const char HEADER_REFERRER_POLICY[] = "referrer-policy";
     const char HEADER_SET_COOKIE[] = "set-cookie";
     const char HEADER_X_CONTENT_TYPE_OPTIONS[] = "x-content-type-options";
     const char HEADER_X_FORWARDED_HOST[] = "x-forwarded-host";
diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index b16a466c2..dac8f155f 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -570,9 +570,11 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
     if (m_isHttpsEnabled) {
         csp += QLatin1String(" upgrade-insecure-requests;");
     }
-
     header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
 
+    if (!m_isAltUIUsed)
+        header(Http::HEADER_REFERRER_POLICY, "same-origin");
+
     return response();
 }