The Ultimate Guide to HTTP Referers and Referrer Policies
You literally don't need any other guides on this topic, because this is the ultimate guide.
323 views, 0 RAMs, and 0 comments
- What is an HTTP_REFERER?
- What is a referrer policy?
- What are all of the valid referrer policies?
- How to Set a Referrer Policy
- What do the valid referrer policies do?
- In Conclusion
What is an HTTP_REFERER?
When a user navigates from Webpage A to Webpage B, there is a piece of metadata known as the HTTP Referer (with one R, not two) that indicates to Webpage B what page the user navigated Webpage B from. For example, if I am on https://nicedogs.com and I travel to https://baddogs.com, baddogs.com a HTTP_REFERER value of "https://nicedogs.com" can be provided to inform baddogs.com that the user came from nicedogs.com.
What is a referrer policy?
However, there are various security, privacy, and other issues associated with HTTP_REFERER values. For example, user who clicks through to a site via a search engine perhaps "should" have an HTTP_REFERER value of https://www.google.com?q=horse+porn, but due to privacy reasons, search engines generally strip the path data and would only list this traffic as having a referrer of https://www.google.com/
Because of this, it is possible to set a referrer policy [MDN] to impact "the Referer HTTP header for outgoing requests and navigations." This allows websites to customize what referrer data is passed in various ways.
What are all of the valid referrer policies?
If set, this header can be one of the following valid options:
- Referrer Policy:
- Referrer Policy: no-referrer
- Referrer Policy: no-referrer-when-downgrade
- Referrer Policy: same-origin
- Referrer Policy: origin
- Referrer Policy: strict-origin
- Referrer Policy: origin-when-cross-origin
- Referrer Policy: strict-origin-when-cross-origin
- Referrer Policy: unsafe-url
Or can be left unset.
How to Set a Referrer Policy
There are a few options for setting a referrer policy:
- Setting a response header, such as:
- Referrer-Policy: no-referrer-when-downgrade
- Using a meta tag, such as:
<meta name="Referrer-Policy" value="strict-origin" />
- Adding a referrer policy to a specific hyperlink/anchor tag, such as:
<a href="https://www.nicewebsite.com/path" referrerpolicy="unsafe-url">Anchor Text</a>
What do the valid referrer policies do?
Leaving the referrer policy unset, or setting it to an empty string, is valid and is the default.
This bad boy is very straightforward. In all scenarios, it will send no referrer to the target URL, even if that URL is on the same domain and so on.
This cocksucker will send referrer header data only when:
- Navigating from HTTP to HTTP;
- Navigating from HTTP to HTTPS; or
- Navigating from HTTPS to HTTPS.
It will not send referrer data at all when navigating from HTTPS to HTTP.
This referrer policy is the same as "no-referrer-when-downgrade" except that when navigating to external sites, the referrer will always be null.
When using this referrer policy, rather than list the full URL as the referrer, such as https://www.site.com/some-path, it will strip path data and instead list the referrer as https://www.site.com/. Note that this referrer policy will:
- Pass referrer data to external sites and
- Will pass referrer data when navigating from HTTPS to HTTP pages
This is the same as the "origin" referrer policy, except that requests from HTTPS to HTTP will not pass referrer data.
This policy will:
- Use the full URL as the referrer for requests within the same domain; and
- Strip path data when navigating between domains/origins.
Similarly to the "origin" policy, this policy will pass referrer data when navigating from HTTPS to HTTP.
This is the same as "origin-when-cross-origin" but will not pass referrer data when the user is navigating from HTTPS to HTTP, regardless of whether those requests are within the same domain or whether they are cross domain.
This POLICY doesn’t GIVE A FUCK about you or anyone or anything else. In literally all scenarios, regardless of where the user is navigating to and the HTTP/HTTPS status of the source and destination are, it will fucking send all of that HTTP_REFERER data. Hell yeah.
Don’t be a fucking pussy. Always use unsafe-url. Hell yeah.
- [Solved] CKEditor Autosave Draft Functionality - 1.4KB, No Plugin
- How to Make a Website: A Simple Guide for Complete Beginners
- 5 Tasks You Didn't Know Could be Done from the Developer Console
- The Ultimate WordPress Performance Resource
- How much is my website worth?
- GeneratePress: Total overview of what it can offer and why it's the only theme I use.
- DreamHost: Review, FAQ, and Affiliate Program
- Get These Dependencies Off My Lawn: 5 Tasks You Didn't Know Could be Done with Pure HTML and CSS
- How to Parse a User Agent in PHP with Minimal Effort
- Best PHP Frameworks
August Garcia is some guy who used to sell Viagra on the Internet. He made this website to LARP as a sysadmin while posting about garbage like user-agent spoofing, spintax, the only good keyboard, virtual assitants from Pakistan, links with the rel="nofollow" attribute, proxies, sin, the developer console, literally every link building method, and other junk.
Post a New Comment
Do you like having a good time?
Register an Account
Read Quality Articles
Read some quality articles. If you can manage to not get banned for like five minutes, you can even post your own articles.
Argue with People on the Internet
Use your account to explain why people are wrong on the Internet forum.
Vandalize the Wiki
Or don't. I'm not your dad.
Ask and/or Answer Questions
If someone asks a terrible question, post a LMGTFY link.
Make Some Money
Hire freelancers and/or advertise your goods and/or services. Hire people directly. We're not a middleman or your dad. Manage your own business transactions.