Fact-checked by Grok 2 weeks ago

HTTP referer

The HTTP Referer header (often misspelled as "referer" in the specification rather than the correct English spelling "referrer") is an optional HTTP request header field that identifies the of the resource from which the (such as a ) initiated the request, allowing the receiving server to determine the referring page or context. This header was first defined in HTTP/1.0 and formalized in subsequent standards, enabling servers to track navigation origins for purposes like , , of back-link lists, and basic checks against unauthorized access. The value is typically a full or a relative reference to the previous resource, but its inclusion is not mandatory and depends on configuration, protocol security levels, and policy settings. While useful for legitimate web operations, the Referer header raises significant and concerns because it can inadvertently disclose sensitive , such as query parameters containing , tokens, or full URLs from secure () contexts when requests are made to insecure (HTTP) endpoints. For instance, clicking a link from a banking to an external resource might expose the full referral URL, including account details, to third-party servers, potentially enabling tracking or attacks. To mitigate these risks, modern standards introduce the Referrer-Policy response header, which allows owners to control the amount of referrer sent—options include stripping the , only, or no referrer at all—and user agents often default to stricter policies for cross-origin requests or when upgrading from HTTP to . Additionally, browsers may omit the header entirely in private browsing modes or when navigating from secure to insecure to protect user . The header's syntax follows the ABNF notation as Referer = absolute-URI / partial-URI, where it is sent only in requests (not responses) and is case-insensitive, though implementations typically use "Referer". Despite its utility in and anti-bot measures, evolving regulations like GDPR and features such as Intelligent Tracking Prevention have led to reduced reliance on Referer , with alternatives like the Fetch Metadata Request Headers providing safer context without full exposure. Overall, while the Referer remains a core part of HTTP semantics, its use is increasingly balanced against user protections in contemporary .

Origins and Etymology

Etymology

The HTTP "Referer" header derives its name from a misspelling of the standard English term "referrer," which denotes the source providing a reference or directing a user to another resource. This typographical error occurred in the initial proposal for the header by computer scientist Phillip Hallam-Baker, who suggested incorporating the field into the HTTP specification. Hallam-Baker later acknowledged responsibility for the error in a 1995 IETF mailing list discussion, noting that he had suggested the field without initially naming it, and Roy Fielding proposed the misspelled "Referer" as the header name. The misspelling persisted into the formal HTTP/1.0 specification published as RFC 1945 in 1996, where it was defined without correction due to emerging implementations already adopting the term. Subsequent standards, including HTTP/1.1 in RFC 2616 (1999) and later revisions, retained "Referer" to ensure with existing web infrastructure, avoiding disruptions to deployed systems. Early contributors from the IETF working group, including , prioritized protocol stability over orthographic accuracy, solidifying the non-standard spelling across the web ecosystem. Linguistically, "referer" functions as a from "referral," treating the header as an agent of the referral process, but it deviates from conventional English morphology where "referrer" preserves the double 'r' from the verb "refer" (as in "" from ""). This irregularity mirrors other technical terms where variant spellings have become entrenched, such as "" () versus "" (), both accepted despite differing conventions. The persistence of "referer" underscores how design often favors practical consistency over linguistic precision in standards.

Historical Development

The HTTP referer header was first introduced as an optional request header in the HTTP/1.0 specification, although it first appeared in early HTTP drafts, including the W3C request headers specification updated on May 3, 1994, outlined in RFC 1945 and published in May 1996. Defined in Section 10.13, it specified the URI of the originating resource—typically from a or form submission—to assist servers in generating back-links, logging navigation patterns, optimizing caching, and tracing issues like obsolete links. The header's syntax allowed for absolute or relative URIs, though fragments were excluded, and it was not required for requests lacking a clear origin, such as direct input. Authors , Roy T. Fielding, and Henrik Frystyk Nielsen emphasized user control over its transmission due to early considerations. The header persisted without alteration in the HTTP/1.1 specification, formalized in RFC 2616 and published in June 1999, maintaining its role in enabling server-side analysis while recommending against its use in non-secure requests following secure ones to protect sensitive URIs. During the mid-1990s, initial browser support emerged with implementations in early web clients like (version 1.0 released in December 1994) and successors, aligning with the growing adoption of HTTP for hypermedia systems. In the late 1990s, the referer became instrumental in rudimentary , as server log analyzers such as Analog (launched in 1995) parsed it to track referral sources and user paths on nascent websites. By the early 2000s, growing recognition of risks—such as unintended disclosure of history or secure site details—prompted partial implementations, including options to suppress or strip the header in cross-protocol transitions (e.g., to HTTP). This evolution culminated in the 2014 update via RFC 7231, which redefined HTTP/1.1 semantics across multiple documents but retained the referer header's name and function unchanged for , despite ongoing discussions within the IETF HTTP Working Group about potential renaming to "referrer" that were ultimately rejected to avoid breaking existing systems. The specification reiterated safeguards, advising against its inclusion in downgraded security contexts.

Technical Functionality

Header Syntax and Values

The Referer header field follows the general HTTP header syntax, consisting of the field name "Referer" followed by a colon and a space, then the field value as a reference that identifies the referring resource from which the request originated. The value adheres to the -reference production defined in RFC 3986, allowing either an absolute or a partial (relative reference). This structure enables servers to contextualize requests without requiring a full in all cases. Possible values for the Referer header include absolute URLs, such as https://example.com/page.html, which specify the complete , , path, and optional query parameters. Partial URIs, like /path/to/resource?query=value, represent relative paths from the same , omitting the and components. An empty value or omission of the header indicates no referrer information is provided, often due to policy or lack of a referring context. Encoding rules for the Referer value require percent-encoding of special characters as per URI syntax in RFC 3986; for instance, spaces are encoded as %20, and non-ASCII characters use UTF-8 percent-encoding. Query parameters are included if present in the referring URI, but the fragment identifier (e.g., #section) must not be sent, as it is client-side and irrelevant to the server. This ensures the value remains a valid, parsable reference without extraneous components. In edge cases involving origins requesting mixed content over HTTP, user agents SHOULD NOT send the Referer header to prevent leakage of secure URL details. For invalid or malformed values, such as non-URI strings, HTTP servers handle them as opaque strings per general field parsing rules, often ignoring or logging them without error. The formal grammar for the Referer header, as specified in RFC 9110 (which obsoletes RFC 7231), is given in Augmented Backus-Naur Form (ABNF) below: 
Referer = absolute-URI / partial-URI

absolute-URI  = [scheme](/page/Scheme) ":" hier-part [ "?" query ]

partial-URI   = relative-part [ "?" query ]
These productions reference additional definitions from 9110 (e.g., query, hier-part, relative-part) and 3986 for complete components.

Usage in HTTP Requests and Responses

The HTTP Referer header is exclusively a request header field sent by s, such as web browsers, to indicate the address of the referring from which the current request originated. It is included in outgoing HTTP requests when the fetches a that was invoked or obtained from another , enabling the recipient server to identify the source for purposes like logging or link validation. According to the HTTP/1.1 specification, s SHOULD send the Referer field whenever they have knowledge of the referring , but its inclusion is optional and subject to choices. User agents trigger the Referer header in various resource fetch scenarios, including navigation via hyperlinks (e.g., clicking an tag to perform a GET request), form submissions (e.g., POST requests from
elements), and loading embedded resources such as images via tags, scripts via In practice, the Referer appears in the request headers of both GET and POST methods. For example, a GET request triggered by clicking a link from https://example.com/page1 to https://target.com/page2 might include: 
GET /page2 HTTP/1.1  
Host: target.com  
Referer: https://example.com/page1
Similarly, a POST request from a form submission on the same referring page would carry the identical Referer value, allowing the server to associate the action with its origin. The header value is typically the full URI of the referring page, though it may be truncated to the origin in certain cross-origin scenarios depending on browser policies. Although the Referer header is defined solely for requests and is rarely, if ever, used in HTTP responses per the standards, servers receiving it perform various processing tasks. Servers parse the Referer to log traffic sources for , enabling site owners to track referral patterns and optimize content placement. It also supports security measures, such as anti-forgery checks in (CSRF) prevention, where the server verifies that the request originates from an expected domain to block unauthorized actions. Furthermore, servers may use the Referer for conditional redirects, such as tailoring destination URLs based on the incoming source to enhance or enforce access controls.

Privacy and Security Aspects

Privacy Risks and Concerns

The HTTP Referer header poses significant risks by automatically disclosing the full of the originating page to third-party servers when users navigate via links, forms, or embedded resources, potentially exposing sensitive query parameters such as search terms, session IDs, or personal identifiers. For instance, a containing a search query like https://example.com/search?q=confidential+medical+condition can reveal private user interests or health details to unrelated domains, including advertisers or providers, without user consent. Similarly, session tokens or tracking IDs embedded in may be leaked, enabling unauthorized reconstruction of user sessions across sites. This leakage facilitates cross-site tracking, where third-party services, such as firms, use Referer data to correlate user browsing paths and build detailed profiles spanning multiple domains. By receiving the originating , trackers can infer sequences of visited pages, interests, and behaviors, even if the user has not directly interacted with their domain, thereby undermining efforts to compartmentalize online activities. This mechanism has been a foundational enabler of pervasive in ecosystems, allowing entities like to link cross-domain activities for . Historically, in the early 2000s, default browser behaviors sent full Referer headers without restrictions, leading to widespread unintended disclosures; for example, Google appended users' search queries to Referer headers in HTTP requests, violating privacy expectations and prompting later legal scrutiny over data practices from that era. Notable incidents included the leakage of password reset tokens via Referer when users clicked external links from secure pages, as documented in vulnerability reports where such tokens enabled unauthorized account access if intercepted by third parties. These early defaults amplified risks, as web applications often included sensitive parameters in URLs without anticipating their transmission to external sites. In the modern context as of 2025, risks have intensified with the proliferation of personalized URLs in , where dynamic links embed user-specific data like cart contents or affiliate trackers, increasing the potential for leakage to payment processors or ad networks during cross-origin navigations. behaviors continue to default to sending Referers unless explicitly configured otherwise, exacerbating exposures in scenarios involving embedded buttons or analytics scripts on sensitive pages. Quantitative studies underscore the scale of these issues; for example, analysis of over 3,000 websites in 2022 revealed that more than 90% circumvented strict Referer policies, resulting in the leakage of visited URLs to third parties, predominantly . Additionally, research from 2022 found that approximately 80% of top websites with search functionality leaked user search terms to advertisers via Referer headers, highlighting the ongoing prevalence of such tracking despite privacy enhancements. These findings indicate that Referer-based exposures remain a dominant vector for erosion in contemporary .

Security Implications

The HTTP Referer header plays a role in mitigating Cross-Site Request Forgery (CSRF) attacks by allowing servers to verify that sensitive requests originate from trusted pages within the expected domain. In CSRF prevention, applications can check the Referer to ensure it matches an allowed origin, thereby blocking forged requests from external sites that lack the user's session credentials. This approach was particularly common in early web applications before widespread adoption of synchronizer tokens. However, reliance on the Referer for introduces significant risks due to its manipulability. Attackers can spoof the Referer header in non-browser clients, such as using tools like with the --referer option to arbitrarily set the value, bypassing checks in automated or scripted attacks. Additionally, open redirect vulnerabilities enable malicious sites to forge trusted Referers; for instance, an attacker might lure users to an open redirect on a legitimate that then forwards to the attacker's page, making subsequent requests appear to originate from the trusted source. These techniques undermine Referer-based defenses, allowing unauthorized actions like unauthorized fund transfers or account changes. In May 2025, a vulnerability in (CVE-2025-4664) was disclosed, allowing attackers to leak cross-origin data by exploiting the Referrer Policy via the Link header in crafted pages, enabling capture of full URLs including sensitive query parameters. This flaw, with a CVSS score of 4.3, was actively exploited in the wild and patched in version 136.0.7103.113 and later. To address these threats, security best practices recommend treating the Referer as a supplemental rather than a primary , always combining it with stronger measures like CSRF tokens. Servers should implement strict validation by whitelisting specific domains or paths in the Referer value, rejecting any mismatches or absences, as outlined in guidelines. For example, parsing the Referer to extract and verify only the against a predefined allowlist prevents partial matches or manipulations that could spoof trusted origins. Historically, pre-2010 web applications frequently exploited flawed Referer checks in CSRF scenarios, contributing to vulnerabilities listed in the OWASP Top 10 for 2010, where inadequate origin validation enabled widespread attacks on session-based systems. Such exploits highlighted the header's unreliability, prompting shifts toward more robust defenses in subsequent years.

Modern Policies and Implementations

Referrer-Policy Header

The Referrer-Policy response header enables web servers to specify how much referrer information is included in the Referer header of outgoing requests made by clients, thereby controlling the disclosure of the originating URL. This mechanism addresses privacy concerns by allowing fine-grained control over referrer transmission during navigations, resource fetches, and prefetches. Standardized in the W3C Referrer Policy specification on 26 January 2017, it was integrated into the WHATWG Fetch living standard to provide a consistent policy framework across web platforms. The syntax of the header is straightforward: Referrer-Policy: <policy-token>[, <policy-token>]*, where each policy-token is one of several predefined values that dictate referrer behavior. Multiple tokens can be specified, with the first applicable one used for a given request; if none match, the request falls back to the client-default policy. The available policy tokens include:
  • no-referrer: The Referer header is omitted entirely from all requests, providing maximum by sending no information.
  • no-referrer-when-downgrade: The full referrer URL is sent for requests using the same or a secure (e.g., to ), but stripped entirely when downgrading from to HTTP to prevent leakage to insecure contexts.
  • : Only the origin (scheme, host, and port) of the referrer is sent, omitting the path and query parameters for reduced exposure.
  • origin-when-cross-origin: The full referrer URL is sent for same-origin requests, but only the origin for cross-origin requests, regardless of protocol downgrade.
  • same-origin: The full referrer URL is sent only for same-origin requests; cross-origin requests omit the Referer header.
  • strict-origin: Similar to the "origin" policy, but the Referer header is stripped entirely for cross-origin requests that would downgrade from to HTTP.
  • strict-origin-when-cross-origin: The full referrer is sent for same-origin requests, the origin only for cross-origin same-scheme requests, and nothing for cross-origin downgrades.
  • unsafe-url: The full referrer URL, including path and query, is sent regardless of origin or , which can expose sensitive data and is generally discouraged.
These policies influence the referrer algorithm in the Fetch standard, determining whether and what portion of the referrer is populated based on the request's context, such as navigation type or resource fetch. For instance, under no-referrer-when-downgrade, an HTTPS-to-HTTP navigation would result in no Referer header, while an HTTPS-to-HTTPS fetch would include the full URL. The specification's default policy is strict-origin-when-cross-origin. In the absence of an explicit Referrer-Policy header, browsers apply default policies to ensure baseline privacy protections. For example, Google Chrome has used strict-origin-when-cross-origin as its default since version 85 in July 2020, prioritizing origin-only disclosure for cross-origin requests while stripping on downgrades. Other browsers, such as Firefox and Safari, similarly default to strict-origin-when-cross-origin or equivalent behaviors to align with evolving privacy standards. Recent enhancements to the specification, reflected in updates to the WHATWG Fetch standard through 2023, have emphasized stricter default policies and better integration with privacy regulations like the EU's GDPR (effective 2018) and California's CCPA (effective 2020), promoting reduced referrer leakage to mitigate tracking risks without breaking web functionality. These updates include refined policy resolution for nested browsing contexts and improved handling of service workers, ensuring consistent application across modern web ecosystems.

Browser and Server-Side Controls

Browsers implement varying default referrer policies to balance privacy and functionality, with differences arising from historical and security priorities. has adopted strict-origin-when-cross-origin as its default policy since version 85 in 2020, stripping path and query parameters for cross-origin requests while sending the origin for same-origin ones, enhancing user privacy without breaking most web applications. Mozilla Firefox historically defaulted to unsafe-url, which sent the full referrer including path and query strings, but shifted to strict-origin-when-cross-origin starting with version 87 in March 2021 to mitigate tracking risks, though legacy configurations may still enforce the older behavior in certain preferences. Apple Safari enforces strict-origin-when-cross-origin as its default since Safari 14 in 2020, limiting referrers to the origin only for cross-origin HTTPS-to-HTTP downgrades and omitting them entirely in such cases, aligning with stricter privacy controls in . Server-side configurations allow administrators to enforce referrer policies globally or per-resource via HTTP headers, overriding or complementing browser defaults. In , the mod_headers module enables setting the policy using directives like Header always set Referrer-Policy "strict-origin-when-cross-origin" within a <VirtualHost> or .htaccess file, applying to all responses and ensuring consistent behavior across clients. Similarly, supports this through the add_header directive, such as add_header Referrer-Policy strict-origin-when-cross-origin always; in the server block of the configuration file, which propagates the policy to browsers during resource delivery and supports conditional logic via if statements for specific paths. documents can also impose controls using the <meta name="referrer" content="strict-origin-when-cross-origin"> tag in the <head> section, which browsers like and honor to set the policy for all outgoing requests from that page, providing a fallback when server headers are unavailable. Client-side further refines referrer control through APIs like the Fetch interface, where developers specify a referrerPolicy option—such as 'strict-origin-when-cross-origin'—in fetch() calls to dictate referrer inclusion for programmatic requests, overriding document-level settings as of implementations in major browsers. This allows dynamic adjustment, for instance, in single-page applications where fetch([url](/page/URL), { referrerPolicy: 'no-referrer' }) suppresses the referrer entirely for sensitive calls, though it requires explicit handling to avoid leaking information via default behaviors. Referrer handling remains compliant with and standards, as these protocols preserve semantic headers like Referer without alteration, though 's transport may introduce minor latency differences in header transmission due to multiplexing. Edge cases between mobile and desktop browsers often stem from platform-specific features; for example, mobile via applies more aggressive referrer stripping in cross-site contexts compared to desktop macOS versions, potentially omitting referrers in embedded iframes to prevent tracking in touch-optimized environments. Recent updates in 2024 have intensified privacy measures, particularly Apple's Intelligent Tracking Prevention (ITP), which blocks or strips referrer information for cross-site navigations in 18 and later, extending to third-party embeds. These changes, effective across 18 and macOS , align with broader ecosystem shifts toward zero-knowledge referrer transmission in privacy-focused modes.

Hiding and Manipulation Techniques

Methods to Suppress or Alter Referrer

Client-side techniques allow web developers to suppress or alter the Referer header directly within or . One common method is using the <meta name="referrer"> tag in the document's <head> section, which sets a referrer policy for all requests originating from that page. For instance, <meta name="referrer" content="no-referrer"> instructs the browser to omit the Referer header entirely for subsequent navigations, resource loads, and subresource requests. In , the Fetch API provides the referrerPolicy option to control referrer transmission on a per-request basis. Developers can specify policies like 'no-referrer' when initiating a fetch, ensuring no Referer header is sent with the request, regardless of the document's global policy. This is particularly useful for calls or dynamic resource loading where fine-grained control is needed. Browser extensions offer user-configurable ways to strip or block referrers across sessions, enhancing privacy without altering site code. Tools like , released in 2015, can modify referrer policies or block transmission to third-party domains through custom filters and settings, preventing leakage in cross-site requests. Similarly, , launched in 2015 by the , blocks referrer information for heuristically identified trackers on yellowlisted domains while allowing essential functionality. These extensions gained widespread adoption in the amid rising privacy concerns. Server-side approaches involve intermediaries that rewrite or remove the Referer header before forwarding requests. Reverse proxies, such as those configured with , can use directives like proxy_set_header Referer ""; to blank the header or replace it with a sanitized , anonymizing the for backend services. URL rewriting modules, like 's rewrite or Apache's mod_rewrite, enable pattern-based modifications to strip sensitive or query components from the Referer while preserving the domain, thus reducing information disclosure. These methods are effective for anonymizing traffic in proxy chains but require careful configuration to avoid breaking referrer-dependent features. Protocol-level tricks provide additional ways to minimize referrer exposure in specific contexts. Using HTTP POST requests instead of GET can avoid embedding sensitive data in URLs that might otherwise be exposed via the Referer header during subsequent navigations, though the header itself is still sent if the request originates from a referring page. Data URLs (data: scheme) and blob URLs (blob: scheme) bypass traditional referrer transmission by embedding content directly in the page or creating temporary in-memory objects, preventing network requests that would include a Referer; for example, loading an image via <img src="data:image/..."> generates no external fetch. These are useful for small, self-contained resources but are limited to inline data. Despite these methods, suppressing the Referer header is not universally effective as of 2025, particularly for passive resource loads like images embedded via <img> tags, where browser defaults or incomplete policy inheritance may still transmit partial referrer data in or non-compliant scenarios. Techniques reliant on controls can be overridden by user agents or fail against service worker-intercepted requests, and server-side proxies do not influence direct client-to-server communications outside their scope. Comprehensive suppression often requires combining multiple approaches with the Referrer-Policy header for broader coverage.

Common Use Cases for Hiding

One primary for hiding the HTTP Referer header is privacy protection, where users and websites seek to prevent unauthorized tracking across domains, particularly in advertising ecosystems and interactions. The Referer header can disclose the originating , including query parameters that reveal user behavior or sensitive navigation paths, enabling third-party trackers to build detailed profiles . For instance, when users share links on social platforms, the Referer may expose the source page to external sites, facilitating cross-site correlation of activities. To mitigate this, browsers and sites employ policies like "no-referrer" to suppress the header entirely, reducing the risk of such leakage and enhancing user in online browsing. Enterprises often hide the Referer to safeguard internal URLs and information when linking to external resources, thereby preventing competitors from gaining on site structure or user flows. Sensitive data embedded in URLs, such as session tokens or internal paths, could be inadvertently shared via the Referer during cross-origin requests, potentially exposing operations or confidential patterns. By implementing strict Referrer-Policy settings, organizations ensure that outbound links do not transmit these details, maintaining competitive advantages in digital environments. Compliance with data protection regulations like the EU's (GDPR, effective 2018) and California's Consumer Privacy Act (CCPA, effective 2020) drives the suppression of the Referer header to minimize unnecessary sharing. Under GDPR's data minimization principle (Article 5), controllers must limit to what is essential, and the Referer can qualify as if it includes identifiable elements like user-specific parameters. Similarly, CCPA emphasizes consumer rights to limit data sales, where Referer leakage could contribute to unauthorized profiling. Adopting no-referrer policies helps organizations demonstrate adherence by curbing cross-site data flows, avoiding potential fines up to 4% of global annual turnover under GDPR. In , hiding the Referer prevents leaks in links and sensitive forms, preserving intended traffic attribution and user trust. Affiliate programs rely on precise referral tracking, but exposed Referers from intermediate pages can dilute commissions or reveal promotional strategies to rivals. For sensitive forms, such as or interfaces, suppressing the header avoids transmitting originating URLs that might contain confidential details to third-party scripts or resources. Designers use attributes like rel="noreferrer" on or server-side headers to achieve this, ensuring cleaner without compromising functionality. The have seen a in Referer hiding aligned with the shift toward zero-party data preferences, as privacy regulations and changes amplify demands for reduced tracking surfaces. Although announced plans to deprecate third-party cookies starting in 2020, these were ultimately abandoned as of 2025, marketers have increasingly favored controlled methods, where Referer suppression complements first-party strategies by limiting passive cross-domain insights. This trend reflects broader adoption of -by-design principles.

References

  1. [1]
    https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3
  2. [2]
    Referer header: Privacy and security concerns - MDN Web Docs
    Jun 13, 2025 · There are privacy and security risks associated with the Referer HTTP header. This article describes them, and offers advice on mitigating those risks.
  3. [3]
    Referer and Referrer-Policy best practices | Articles - web.dev
    Jul 30, 2020 · HTTP requests can include an optional Referer header, which indicates the origin or web page URL the request was made from. The Referrer-Policy ...Summary · Referer and Referrer-Policy 101 · Best practices for setting...Missing: RFC | Show results with:RFC<|control11|><|separator|>
  4. [4]
    Session Identification URI - W3C
    Dan Connoly Proposals for Gathering Consumer Demographics; [Hallam93]: Phillip M. Hallam-Baker Design note on HTTP referer field. Memo to Tim Berners-Lee ...<|control11|><|separator|>
  5. [5]
    Re: Referer: (sic) from Phillip M. Hallam-Baker on 1995-03-10 (ietf ...
    >> Has anyone else noticed that the HTTP header "Referer:" is spelled wrong? > > ... I sent him a note with the suggestion but I don't think I gave a name for the ...Missing: Design | Show results with:Design
  6. [6]
    "Referer" or "referrer" - English Language & Usage Stack Exchange
    Sep 20, 2011 · The misspelling referer originated in the original proposal by computer "scientist" Phillip Hallam-Baker to incorporate the field into the HTTP ...
  7. [7]
    https://datatracker.ietf.org/doc/html/rfc1945#section-10.13
  8. [8]
    https://datatracker.ietf.org/doc/html/rfc2616#section-14.36
  9. [9]
    https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36
  10. [10]
    The Early Days of Web Analytics - Amplitude
    In the earliest days of the Internet, there was one relatively simple method to measure the traffic your website saw: use the server log.
  11. [11]
    An integrated EU Approach to On-line Data Protection
    Nov 21, 2000 · attention of the industry to possible privacy issues while implementing the HTTP protocol. 22. : – “Having the user agent describe its ...
  12. [12]
    https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.2
  13. [13]
    RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1) - IETF Datatracker
    This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header ...
  14. [14]
    Cross Site Request Forgery (CSRF) - OWASP Foundation
    Checking the referrer header in the client's HTTP request can prevent CSRF attacks. Ensuring that the HTTP request has come from the original site means ...Missing: redirects | Show results with:redirects
  15. [15]
    Cross-domain Referer leakage - PortSwigger
    In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties. If ...Missing: tracking | Show results with:tracking
  16. [16]
    [PDF] Referrer Policy: Implementation and Circumvention
    The Referrer Policy (RP) standard allows websites to control how much information is shared in the Referer header, which can reveal sensitive user data.<|separator|>
  17. [17]
    Google searchers from years past can get paid for pilfered privacy
    Jun 17, 2023 · Google – it's alleged – violated its privacy commitments by appending search terms to the HTTP Referer header, a text string passed by a web ...Missing: historical | Show results with:historical
  18. [18]
    Nord Security | Report #751581 - Password Reset Link Leaked In ...
    The reporter has identified that the web application is leaking password reset token in the HTTP referrer header. By obtaining a token, malicious user would ...Missing: historical | Show results with:historical
  19. [19]
    Is Your Site Leaking Password Reset Links? - Thoughtbot
    Mar 25, 2019 · Emailed password reset links are a common part of web applications. Is your site leaking these confidential links to third party sites?Is Your Site Leaking... · Leaking Password Reset Links · Testing Your Site
  20. [20]
    Referer Header: A Hidden Threat to Web Application Security
    Jun 2, 2025 · While serving legitimate purposes, the Referer header can inadvertently become a gateway for unauthorized access and data exposure. By ...Missing: definition | Show results with:definition
  21. [21]
    [PDF] a measurement on referrer policy circumvention in 3k e-commerce ...
    May 23, 2022 · Over 90% of 3000 e-commerce websites circumvented strict referrer policies, leaking visited URLs to third parties, often Google.
  22. [22]
    Over 80% of the top websites leak user searches to advertisers
    Sep 8, 2022 · Researchers have found that roughly eight out of ten websites featuring a search bar will leak their visitor's search terms to online advertisers like Google.Missing: Referer historical
  23. [23]
    8 in 10 websites leak your search terms - Gen Digital
    adult, ...
  24. [24]
    Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series
    A Cross-Site Request Forgery (CSRF) attack occurs when a malicious web site, email, blog, instant message, or program tricks an authenticated user's web browser
  25. [25]
    CWE-352: Cross-Site Request Forgery (CSRF)
    Check the HTTP Referer header to see if the request originated ... Consider using OWASP CSRFTester to identify potential issues and aid in manual analysis.
  26. [26]
    Bypassing Referer-based CSRF defenses | Web Security Academy
    Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the ...
  27. [27]
    What is CSRF (Cross-site request forgery)? Tutorial & Examples
    Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not ...
  28. [28]
    Secure Coding Practices Checklist - OWASP Foundation
    Filter parameters containing sensitive information from the HTTP referer, when linking to external sites. System configuration. Ensure servers, frameworks and ...Missing: whitelisting | Show results with:whitelisting
  29. [29]
    Referrer Policy - W3C
    Jan 26, 2017 · A referrer policy modifies the algorithm used to populate the Referer header when fetching subresources, prefetching, or performing navigations.
  30. [30]
    https://thehackernews.com/2025/05/new-chrome-vulnerability-enables-cross.html
  31. [31]
    Fetch Standard - whatwg
    Oct 10, 2025 · If request 's referrer policy is the empty string, then set request 's referrer policy to request 's policy container's referrer policy. If ...Missing: 2017 | Show results with:2017
  32. [32]
    https://www.w3.org/TR/referrer-policy/
  33. [33]
    https://fetch.spec.whatwg.org/#referrer-policy
  34. [34]
    https://fetch.spec.whatwg.org/
  35. [35]
    https://www.w3.org/TR/referrer-policy/#referrer-policy-header-syntax
  36. [36]
    https://www.w3.org/TR/referrer-policy/#no-referrer-when-downgrade-policy
  37. [37]
    https://www.w3.org/TR/referrer-policy/#same-origin
  38. [38]
    Firefox 87 trims HTTP Referrers by default to protect user privacy
    Mar 22, 2021 · Starting with Firefox 87, we set the default Referrer Policy to 'strict-origin-when-cross-origin' which will trim user sensitive information ...Missing: unsafe- | Show results with:unsafe-
  39. [39]
    <meta name="referrer"> - HTML - MDN Web Docs
    Jul 9, 2025 · The referrer value for the name attribute of the <meta> element controls the HTTP Referer header of requests sent from the document.
  40. [40]
    Request: referrerPolicy property - Web APIs | MDN
    Mar 13, 2025 · The referrerPolicy read-only property of the Request interface returns the referrer policy, which governs what referrer information, sent in the Referer header ...
  41. [41]
    RFC 9114 - HTTP/3 - IETF Datatracker
    This document defines HTTP/3: a mapping of HTTP semantics over the QUIC transport protocol, drawing heavily on the design of HTTP/2.
  42. [42]
    Window: fetch() method - Web APIs | MDN
    Aug 24, 2025 · The fetch() method of the Window interface starts the process of fetching a resource from the network, returning a promise that is fulfilled once the response ...Syntax · Exceptions · Examples
  43. [43]
    Understanding Referrer Loss and Direct Traffic in Sealmetrics
    10. Browser extensions and privacy tools. Privacy-focused browsers or extensions like Brave, uBlock Origin, or DuckDuckGo may block referrers by default.<|separator|>
  44. [44]
    EFF Privacy Badger - Academized
    Dec 19, 2023 · Privacy Badger is a browser extension that prevents advertisers and other third-party trackers from quietly following your online ...
  45. [45]
    Block sending Referrer information · Issue #3604 · gorhill/uBlock
    Mar 14, 2018 · Blocking referrers for third-party domains by default is great for improving your privacy, but breaks some websites. AdGuard maintains whitelist filters to ...
  46. [46]
    Nginx - how to change request header Referer - Stack Overflow
    Jan 18, 2018 · Currently running a local reverse proxy using NGINX. Just wondering how I can change the Referer in the request header from http://localhost: ...Allow access via reverse proxy by http referer - Stack OverflowHow to remove referer from get request in Nginx reverse proxy?More results from stackoverflow.com
  47. [47]
    nginx change referer for proxy - Server Fault
    Feb 17, 2016 · I have set up a very basic proxy rule in nginx. However the resources where the request are proxyed do a referer check. It must be the same domain the service ...Forward Custom Header from Nginx Reverse Proxy - Server FaultWhy does nginx as a reverse proxy not send Referrer-Policy header?More results from serverfault.com
  48. [48]
    Playing with Referer Header - Information Security Stack Exchange
    Jan 12, 2013 · When user clicks on link from http://www.site1.com browser sends Referer header to http://www.site2.com . Based on Referrer header http://www.Why is there no referer when pointing to a secure page?Does referrer header checking offer any real world security ...More results from security.stackexchange.com
  49. [49]
    what should the referer header be for a fetch() from a blob: URL ...
    Feb 20, 2017 · This suggests that the referer header should contains a blob: URL for fetch/xhr requests from a blob: URL worker script. Is this intended?
  50. [50]
    Referrer-Policy header - HTTP - MDN Web Docs
    Sep 16, 2025 · The HTTP Referrer-Policy response header controls how much referrer information (sent with the Referer header) should be included with requests.
  51. [51]
    Don't Let Sensitive Data Hide in Your URLs - Salesforce
    Jul 14, 2025 · ✔️ Enable the referrer-policy HTTP header in your org. ✔️ Share this best practice with your teams—because the best protection is prevention. Keep ...
  52. [52]
    Art. 5 GDPR – Principles relating to processing of personal data
    Rating 4.6 (10,110) Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); ...Lawfulness · Recital 39 · Article 89Missing: HTTP Referer
  53. [53]
    How to Replace Refferer for Affiliate Links - Short.io Blog
    Feb 14, 2023 · Hiding your referrer address is an excellent way to ensure you can do your promotions your way. The affiliate network couldn't see your referrer URL.
  54. [54]
    [PDF] IAB Europe Guide to a Post Third Party Cookie Era_March 2022.pptx
    For same-site requests, websites can still send the full referrer URL. This makes it impossible to bypass the blocking of tracking by cooperation of websites ...
  55. [55]
    Cookieless Marketing: 7 Strategies to Stay Ahead in 2025 - CookieYes
    May 28, 2025 · Cookieless marketing refers to strategies for targeting and engaging users without relying on third-party cookies, focusing instead on privacy-conscious data ...