256 Kilobytes

The Ultimate Guide to HTTP Referers and Referrer Policies

Articles in Web Development | By August R. Garcia


You literally don't need any other guides on this topic, because this is the ultimate guide.

493 views, 0 RAMs, and 0 comments

What is an HTTP_REFERER?

When a user navigates from Webpage A to Webpage B, there is a piece of metadata known as the HTTP Referer (with one R, not two) that indicates to Webpage B what page the user navigated Webpage B from. For example, if I am on https://nicedogs.com and I travel to https://baddogs.com, baddogs.com a HTTP_REFERER value of "https://nicedogs.com" can be provided to inform baddogs.com that the user came from nicedogs.com.

What is a referrer policy?

However, there are various security, privacy, and other issues associated with HTTP_REFERER values. For example, user who clicks through to a site via a search engine perhaps "should" have an HTTP_REFERER value of https://www.google.com?q=horse+porn, but due to privacy reasons, search engines generally strip the path data and would only list this traffic as having a referrer of https://www.google.com/

Because of this, it is possible to set a referrer policy [MDN] to impact "the Referer HTTP header for outgoing requests and navigations." This allows websites to customize what referrer data is passed in various ways.

What are all of the valid referrer policies?

If set, this header can be one of the following valid options:

  • Referrer Policy:
  • Referrer Policy: no-referrer
  • Referrer Policy: no-referrer-when-downgrade
  • Referrer Policy: same-origin
  • Referrer Policy: origin
  • Referrer Policy: strict-origin
  • Referrer Policy: origin-when-cross-origin
  • Referrer Policy: strict-origin-when-cross-origin
  • Referrer Policy: unsafe-url

Or can be left unset.

How to Set a Referrer Policy

There are a few options for setting a referrer policy:

  • Setting a response header, such as:
    • Referrer-Policy: no-referrer-when-downgrade
  • Using a meta tag, such as:
    • <meta name="Referrer-Policy" value="strict-origin" />
  • Adding a referrer policy to a specific hyperlink/anchor tag, such as:
    • <a href="https://www.nicewebsite.com/path" referrerpolicy="unsafe-url">Anchor Text</a>

What do the valid referrer policies do?


Leaving the referrer policy unset, or setting it to an empty string, is valid and is the default.


This bad boy is very straightforward. In all scenarios, it will send no referrer to the target URL, even if that URL is on the same domain and so on.


This cocksucker will send referrer header data only when:

  • Navigating from HTTP to HTTP;
  • Navigating from HTTP to HTTPS; or
  • Navigating from HTTPS to HTTPS.

It will not send referrer data at all when navigating from HTTPS to HTTP.


This referrer policy is the same as "no-referrer-when-downgrade" except that when navigating to external sites, the referrer will always be null.


When using this referrer policy, rather than list the full URL as the referrer, such as https://www.site.com/some-path, it will strip path data and instead list the referrer as https://www.site.com/. Note that this referrer policy will:

  • Pass referrer data to external sites and
  • Will pass referrer data when navigating from HTTPS to HTTP pages


This is the same as the "origin" referrer policy, except that requests from HTTPS to HTTP will not pass referrer data.


This policy will:

  • Use the full URL as the referrer for requests within the same domain; and
  • Strip path data when navigating between domains/origins.

Similarly to the "origin" policy, this policy will pass referrer data when navigating from HTTPS to HTTP.


This is the same as "origin-when-cross-origin" but will not pass referrer data when the user is navigating from HTTPS to HTTP, regardless of whether those requests are within the same domain or whether they are cross domain.


This POLICY doesn’t GIVE A FUCK about you or anyone or anything else. In literally all scenarios, regardless of where the user is navigating to and the HTTP/HTTPS status of the source and destination are, it will fucking send all of that HTTP_REFERER data. Hell yeah.

In Conclusion

Don’t be a fucking pussy. Always use unsafe-url. Hell yeah.

Download more RAM. 🐏 ⨉ 0Posted by August R. Garcia 2 years ago 🕓 Posted at 29 April, 2019 11:56 AM PDT

Profile Photo - August R. GarciaAugust R. GarciaLARPing as a Sysadmi...Portland, ORSite Owner

August Garcia is some guy who used to sell Viagra on the Internet. He made this website to LARP as a sysadmin while posting about garbage like user-agent spoofing, spintax, the only good keyboard, virtual assitants from Pakistan, links with the rel="nofollow" attributeproxiessin, the developer console, literally every link building method, and other junk.

Available at arg@256kilobytes.com, via Twitter, or arg.256kilobytes.com. Open to business inquiries based on availability.

Post a New Comment

Do you like having a good time?

Register an Account

You can also login to an existing account or reset your password. All use of this site is subject to the terms of service and privacy policy.

Read Quality Articles

Read some quality articles. If you can manage to not get banned for like five minutes, you can even post your own articles.

View Articles →

Argue with People on the Internet

Use your account to explain why people are wrong on the Internet forum.

View Forum →

Vandalize the Wiki

Or don't. I'm not your dad.

View Wiki →

Ask and/or Answer Questions

If someone asks a terrible question, post a LMGTFY link.

View Answers →

Make Some Money

Hire freelancers and/or advertise your goods and/or services. Hire people directly. We're not a middleman or your dad. Manage your own business transactions.

Register an Account