Referrer-Policy controls what gets sent in the Referer request header when a user navigates from your page to another site (or your page makes a cross-origin fetch). Default browser behavior leaks the full URL -- including any query strings or session tokens accidentally embedded in URLs -- to every third-party domain you link to.
Recommended value: strict-origin-when-cross-origin. This sends the full URL on same-origin requests, only the origin (scheme+host+port) on cross-origin HTTPS requests, and nothing on cross-origin HTTP requests. It's the modern browser default but worth setting explicitly so older browsers behave the same way.
For high-privacy sites: no-referrer (sends nothing ever). For SEO-sensitive sites: strict-origin-when-cross-origin is the right balance -- analytics + ad attribution still work, sensitive query strings don't leak.