diff --git a/app/controllers/concerns/web_app_controller_concern.rb b/app/controllers/concerns/web_app_controller_concern.rb
index cbd522246..f28786f63 100644
--- a/app/controllers/concerns/web_app_controller_concern.rb
+++ b/app/controllers/concerns/web_app_controller_concern.rb
@@ -6,17 +6,12 @@ module WebAppControllerConcern
   included do
     prepend_before_action :redirect_unauthenticated_to_permalinks!
     before_action :set_app_body_class
-    before_action :set_referrer_policy_header
   end
 
   def set_app_body_class
     @body_classes = 'app-body'
   end
 
-  def set_referrer_policy_header
-    response.headers['Referrer-Policy'] = 'origin'
-  end
-
   def redirect_unauthenticated_to_permalinks!
     return if user_signed_in? && current_account.moved_to_account_id.nil?
 
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 5ea9ea9ba..abb46bd16 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -138,6 +138,7 @@ Rails.application.configure do
     'X-Content-Type-Options' => 'nosniff',
     'X-XSS-Protection'       => '0',
     'Permissions-Policy'     => 'interest-cohort=()',
+    'Referrer-Policy'        => 'no-referrer',
   }
 
   config.x.otp_secret = ENV.fetch('OTP_SECRET')