diff --git a/pages/email-verification.md b/pages/email-verification.md
index 83042aa..deb2d57 100644
--- a/pages/email-verification.md
+++ b/pages/email-verification.md
@@ -53,7 +53,7 @@ https://example.com/verify-email/<TOKEN>
 
 A single token should be tied to a single user and email. This is especially important if you allow users to change their email address after they're sent an email. Tokens should be single-use and be immediately deleted from storage after verification. The token should be valid for at least 15 minutes (anywhere between 1-24 hours is recommended). When a user asks for another verification email, you can resend the previous token instead of generating a new token if that token is still within expiration.
 
-Make sure to set the [Referrer Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) tag to `no-referrer` for any path that includes tokens to protect the tokens from referer leakage.
+Make sure to set the [Referrer Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) tag to `strict-origin` (or equivalent) for any path that includes tokens to protect the tokens from referer leakage.
 
 All sessions should be invalidated when the email is verified (and create a new one for the current user so they stay signed in).
 
diff --git a/pages/password-reset.md b/pages/password-reset.md
index 0913a04..032a56b 100644
--- a/pages/password-reset.md
+++ b/pages/password-reset.md
@@ -37,7 +37,7 @@ Tokens should be valid for around an hour, and 24 hours at most. Invalidate exis
 
 The token must be single-use. Delete the token when the user sends a valid password through the form.
 
-Make sure to set the [Referrer Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) tag to `no-referrer` for any path that includes tokens to protect the tokens from referer leakage.
+Make sure to set the [Referrer Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) tag to `strict-origin` (or equivalent) for any path that includes tokens to protect the tokens from referer leakage.
 
 If the user has implemented [multi-factor authentication](/mfa), such as via authenticator apps or passkeys, they should be prompted to authenticate using their second factor before entering their new password.