diff --git a/docs/images-and-visitor-metrics.md b/docs/images-and-visitor-metrics.md
index 7d18c81..c7e51b1 100644
--- a/docs/images-and-visitor-metrics.md
+++ b/docs/images-and-visitor-metrics.md
@@ -68,9 +68,10 @@ bots. Compare `d7` after a full week, `d30` after thirty days. (Admin shows this
Privacy unchanged: only a salted `visitor_hash` is stored (no IP, no raw token, no fingerprint).
-### Optional (not done) — homepage hero referrer
-For `remote` images, article cards and the share page use `
`, so
-the publisher CDN doesn't get the referring URL. The homepage hero (`.news-plate`) is a CSS
-`background-image`, which can't carry that policy, so it leaks the referrer (not the IP — that's
-unavoidable for any remote image). Converting the hero to a real `
`
-would make it consistent. Deferred pending an owner decision (touches the cover/contain hero rendering).
+### Referrer suppression on remote images
+Every on-site image request for a `remote` source sets `referrerpolicy="no-referrer"` so the
+publisher CDN doesn't get the referring URL: article cards, the share page, AND the homepage hero
+(converted from a CSS `background-image` to a real `
` — the retry probe sets
+`probe.referrerPolicy='no-referrer'` too). This hides the *referrer*, **not** the visitor's IP —
+any remote image necessarily exposes the IP to the CDN. For zero third-party image requests, the
+source must be `none` or explicitly cleared for local caching (`cache`).