HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...

, "" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated. In the most common situation, this means that when a user clicks a

hyperlink In computing, a hyperlink, or simply a link, is a digital reference to data that the user can follow or be guided by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text w ...

in a

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...

, causing the browser to send a request to the server holding the destination web page, the request may include the field, which indicates the last page the user was on (the one where they clicked the link).

Web sites A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wiki ...

and

web server A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initia ...

s log the content of the received field to identify the web page from which the user followed a link, for promotional or statistical purposes. This entails a loss of

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of ...

for the user and may introduce a

security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...

risk. To mitigate security risks, browsers have been steadily reducing the amount of information sent in Referer. As of March 2021, by default Chrome,

Chromium Chromium is a chemical element with the symbol Cr and atomic number 24. It is the first element in group 6. It is a steely-grey, lustrous, hard, and brittle transition metal. Chromium metal is valued for its high corrosion resistance and hard ...

-based

Edge Edge or EDGE may refer to: Technology Computing * Edge computing, a network load-balancing system * Edge device, an entry point to a computer network * Adobe Edge, a graphical development application * Microsoft Edge, a web browser developed ...

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current ...

Safari A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an impor ...

default to sending only the origin in cross-origin requests, stripping out everything but the domain name.

Etymology

The misspelling of '' referrer'' was introduced in the original proposal by computer scientist

Phillip Hallam-Baker Phillip Hallam-Baker is a computer scientist, mostly known for contributions to Internet security, since the design of HTTP at CERN in 1992. Self-employed since 2018 as a consultant and expert witness in court cases, he previously worked at Comodo ...

to incorporate the header field into the

specification. The misspelling was set in stone by the time (May 1996) of its incorporation into the

Request for Comments A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...

standards document RFC 1945 (which 'reflects common usage of the protocol referred to as "HTTP/1.0"' at that time); document co-author

Roy Fielding Roy Thomas Fielding (born 1965) is an American computer scientist, one of the principal authors of the HTTP specification and the originator of the Representational State Transfer (REST) architectural style. He is an authority on computer network ...

remarked in March 1995 that "neither one ( or referrer) is understood by" the standard Unix spell checker of the period. has since become a widely used spelling in the industry when discussing HTTP referrers; usage of the misspelling is not universal, though, as the correct spelling "referrer" is used in some web specifications such a
the Referrer-Policy HTTP header
or the

Document Object Model The Document Object Model (DOM) is a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document wi ...

Details

When visiting a web page, the referrer or referring page is the URL of the previous web page from which a link was followed. More generally, a referrer is the URL of a previous item which led to this request. The referrer for an image, for example, is generally the

HTML The HyperText Markup Language or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaS ...

page on which it is to be displayed. The referrer field is an optional part of the HTTP request sent by the

to the web server. Many websites log referrers as part of their attempt to track their users. Most

web log analysis software Web log analysis software (also called a web log analyzer) is a kind of web analytics software that parses a server log file from a web server, and based on the values contained in the log file, derives indicators about when, how, and by whom a web ...

can process this information. Because referrer information can violate

, some web browsers allow the user to disable the sending of referrer information. Some

proxy Proxy may refer to: * Proxy or agent (law), a substitute authorized to act for another entity or a document which authorizes the agent so to act * Proxy (climate), a measured variable used to infer the value of a variable of interest in climate re ...

and

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...

software will also filter out referrer information, to avoid leaking the location of non-public websites. This can, in turn, cause problems: some web servers block parts of their website to web browsers that do not send the right referrer information, in an attempt to prevent

deep linking In the context of the World Wide Web, deep linking is the use of a hyperlink that links to a specific, generally searchable or indexed, piece of web content on a website (e.g. "http://example.com/path/page"), rather than the website's home page (e ...

or unauthorised use of images ( bandwidth theft). Some proxy software has the ability to give the top-level address of the target website as the referrer, which reduces these problems but can still in some cases divulge the user's last-visited web page. Many blogs publish referrer information in order to link back to people who are linking to them, and hence broaden the conversation. This has led, in turn, to the rise of referrer spam: the sending of fake referrer information in order to popularize the spammer's website. It is possible to access the referrer information on the client side using document.referrer in

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...

. This can be used, for example, to individualize a web page based on a user's search engine query. However, the referrer field does not always include search keywords, such as when using

Google Search Google Search (also known simply as Google) is a search engine provided by Google. Handling more than 3.5 billion searches per day, it has a 92% share of the global search engine market. It is also the List of most visited websites, most-visi ...

with https.

Referrer hiding

Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. Generally, Internet-security suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This raises the problem of referrer spam. The technical details of both methods are fairly consistent – software applications act as a

proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a reques ...

and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header. Most web browsers do not send the referrer field when they are instructed to redirect using the "Refresh" field. This does not include some versions of

Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libr ...

and many mobile web browsers. However, this method of redirection is discouraged by the

World Wide Web Consortium The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working ...

(W3C). If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent. The

HTML5 HTML5 is a markup language used for structuring and presenting content on the World Wide Web. It is the fifth and final major HTML version that is a World Wide Web Consortium (W3C) recommendation. The current specification is known as the HTML ...

standard added support for the attribute/value rel="noreferrer", which instructs the user agent to not send a referrer. Another referrer hiding method is to convert the original link URL to a

Data URI scheme The data URI scheme is a uniform resource identifier (URI) scheme that provides a way to include data in-line in Web pages as if they were external resources. It is a form of file literal or here document. This technique allows normally separate ...

-based URL containing small HTML page with a

meta refresh Meta refresh is a method of instructing a web browser to automatically refresh the current web page or frame after a given time interval, using an HTML meta element with the http-equiv parameter set to "refresh" and a content parameter giving t ...

to the original URL. When the user is redirected from the data: page, the original referrer is hidden.

Content Security Policy Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a ...

standard version 1.1 introduced a new ''referrer'' directive that allows more control over the browser's behaviour in regards to the referrer header. Specifically it allows the webmaster to instruct the browser not to block referrer at all, reveal it only when moving with the same origin etc.

References

External links

* : Hypertext Transfer Protocol -- HTTP/1.0 * : Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content * {{IETF RFC, 3987, link=no: Internationalized Resource Identifiers (IRIs) * /w3c.github.io/webappsec/specs/referrer-policy/ Referrer Policy - W3C Editor's Draft URI schemes URL Hypertext Transfer Protocol headers Nonstandard spelling