Remove http referer

Question

Is it a way to remove or hide http referer information in request header? i want to remove http referrer information of users who goes to other site from my site using a script possibly in javascript python or django

example:

Host    slogout.espncricinfo.com
User-Agent  Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0    
Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8    
Accept-Language en-us,en;q=0.5    
Accept-Encoding gzip, deflate    
Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7    
Connection  keep-alive
Referer http://slogout.espncricinfo.com/index.php?page=index&level=login

what do you mean? how to do it programmatically? or in custom web-browser? if first, for which platform do you need a solution (e.g. php, c++, etc...)? — heximal, Jul 25 '11 at 14:28
@cularis i want to remove http referrer info of visitore who go from my site to another site... — shiva, Jul 25 '11 at 14:29
@ heximal i want to do it programatically using any one of these languages javascript,jquery python django or html — shiva, Jul 25 '11 at 14:31

Marcelo Glasberg · Accepted Answer · 2017-11-09T22:31:25.550

134

As of 2015 this is how you prevent sending the Referer header:

Just add this to the head section of the web page:

 <meta name="referrer" content="no-referrer" />

This works both for links and for Ajax requests made by JavaScript code on the page.

Other valid meta options include:

<meta name="referrer" content="unsafe-url" />
<meta name="referrer" content="origin" />
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="referrer" content="origin-when-cross-origin" />

• See if it works for your browser here: http://caniuse.com/#feat=referrer-policy

• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/

Also note that browsers now send the Origin header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" /> the referrer will contain similar information to the Origin header, which is already good from a privacy point of view, since it will hide the exact page the user is in.

Update:

If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" /> to head section of the web page:

var meta = document.createElement('meta');
meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);

edited Nov 09 '17 at 22:31

answered Aug 14 '15 at 16:02

Marcelo Glasberg

29,013
23
109
133

4

As noted at caniuse.com, this does not work for IE, certain mobile browsers, and MS Edge has partial support. So this is not sufficient to keep sensitive information in URLs away from third parties. – David Leppik Jan 12 '16 at 16:43
2

According to the doc https://www.w3.org/TR/referrer-policy , there is no mention of "no-referrer". Should it be: – Rop May 19 '16 at 08:09
In your link https://w3c.github.io/webappsec-referrer-policy , it specifically says: "...provided for discussion only....publication here does not imply endorsement of its contents by W3C. Don’t cite this document other than as work in progress" – Rop May 19 '16 at 08:27
3

Rop, thanks for pointing that out. I believe `content=never` is more compatible then `content=none`, since the newer specification says that `"never" or "no-referrer", return "no-referrer".`. Although it also says that `Authors are encouraged to avoid the legacy keywords never, default, and always. The keywords no-referrer, no-referrer-when-downgrade, and unsafe-url respectively are preferred.`. – Marcelo Glasberg May 21 '16 at 07:43
3

Worth noting, `content=no-referrer` does not work in all browsers whereas it appears `content=never` works in all browsers that support `no-referrer` and then some. For now you should probably use `content=never`. – bbodenmiller Nov 23 '16 at 08:22
@bbodenmiller `content=never` still doesn't work with some browsers (IE, Opera Mini, Old Android Browsers) – Alex Jul 15 '17 at 11:17
I'm not seeing this Origin header. I'm printing the headers with PHP's [getallheaders](http://php.net/manual/en/function.getallheaders.php). It doesn't appear in the $_SERVER variable either, where all headers should. I am using the current Chrome (November 2017, 2 years after this answer). Is `getallheaders` and `$_SERVER` omitting it, is Chrome not sending it, or something else? – felwithe Nov 08 '17 at 14:52
@felwithe The Origin header is sent with CORS requests, as well as with POST requests. I will update my answer. See here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin – Marcelo Glasberg Nov 09 '17 at 22:29
its not working on android device as well, it set header as file – Sunil Rawat Apr 27 '18 at 06:35
If you just need to control the referrer on the request resulting from ``, ``, `` or `<link/>`, all these tags support the [referrerpolicy attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-referrerpolicy) – diachedelic Aug 10 '19 at 08:10
In my test this did not work for a link on Firefox 68.3, but [this solution using rel="noreferrer"](https://stackoverflow.com/a/35563827) as link attribute worked. – Gabriel Devillers May 24 '20 at 17:24

Hello World · Answer 2 · 2014-08-29T20:56:51.203

If you are only interested in hiding the full URL and don't mind keeping your domain name exposed, this small Javascript code does the job.

Your user is at example.com/secret_url_we_want_to_hide, your user clicks a link which is supposed to send them to google.com. but instead of <a href="http://google.com">Go to Google</a>, we use this:

a href="http://example.com/redirect.html#http://google.com">Go to Google</a>

Where /redirect.html is an HTML page containing the following: (Edit: Please see the update!)

<html><head></head><script>
window.location.replace(location.hash.substring(1));
</script></html>

Google.com will see http://example.com/redirect.html in the referrer tag and will never see the actual example.com/secret_url_we_want_to_hide.

UPDATE:

Firefox has a bug with location.hash, the workaround is the following:

<html><head></head><script>
workaround_hash=location.href.split('#').splice(1).join('#');
window.location.replace(workaround_hash);
</script></html>

It's a good solution however it's only suitable for browsers. Anything that ignores the Javascript like cUrl or another non-browser http client won't redirect at all — Krzysztof Wende, Jan 15 '16 at 11:08

score 4 · Answer 3 · answered Jul 25 '11 at 14:55

There are a variety of mechanisms to do that, depending on what browser version you use. For any browser, if the destination is over HTTP, you can "launder" the origin by redirecting to a HTTPS page which then navigates to the target page.

For IE, you can perform the navigation using JavaScript (e.g. window.open) which will suppress the referer. Or you can use META Refresh, but there's a perf cost to that. For WebKit-based browsers, see the NoReferrer LINK REL option: http://www.webkit.org/blog/907/webkit-nightlies-support-html5-noreferrer-link-relation/

Jyoti Sandhiya · Answer 4 · 2018-11-22T12:59:54.433

3

<meta name="referrer" content="no-referrer"/>

If you put above code on your page all outgoing links (user clicks) will not send referrer information

Documentation

edited Nov 22 '18 at 12:59

answered Nov 22 '18 at 12:24

Jyoti Sandhiya

173
3
12

1

Your answer can be better if you add some explanation to the raw code you've posted... – DaFois Nov 22 '18 at 12:43
@DaFois Updated – Jyoti Sandhiya Nov 22 '18 at 13:00

score 1 · Answer 5 · answered Apr 28 '15 at 02:48

I had been searching for a similar solution, blank the referrer, but only to count unique visits from a referring website. The problem I had was that, if someone visited my site from a particular link, the visit counter would go up, but if that person refreshed the page, the visitor counter was still going up.

I used google to visit several resources on this topic and yes it was very very difficult to find the answer until someone pointed me to look at php.net for solution.

I found the solution in using

header('Refresh: 0; url=index.php');

But just the above code is not the solution. Solution lies in its placement. Here is the full code:

$ref=@$_SERVER[HTTP_REFERER];
$domain = parse_url($ref, PHP_URL_HOST);

If ($domain === "google.com") 
    {
        header('Refresh: 0; url=index.php'); //Resets header info to host site so that on page refresh, the hit counter does not
    }                                        // increase but increases only when someone visits from google url again

After the "refresh", header information changes to that of host site, so on page refresh the "if" statement will not validate and the hit counter will not increase.

You can put your hit counter inside the IF block. You can also program different parameters to log blank hits to your website and different parameters to log over all pageloads/pageviews as well.

Hope it helps.....

score 1 · Answer 6 · answered Dec 26 '20 at 23:52

I see no answer mentioning that there is also an HTTP resonse header that sets the policy, Referrer-Policy. Here's how to set it in Apache:

Header add Referrer-Policy "no-referrer"

Or perhaps, weaker but still safe option for sending referrer when accessing links leading only to the same site:

Header add Referrer-Policy "same-origin"

score 0 · Answer 7 · answered Jul 25 '11 at 20:07

Your assumption of accessing Referer header via javascript is not possible. Just like the User-Agent header in http, referer etc cannot be accessed by javascript. The values to these headers are fed by the browser. What you can do is some tricky work around's if you require to do so.

score -1 · Answer 8 · answered Nov 28 '17 at 15:30

There is another method is using history.replace() method to hide the query string such as ,if you want to http://example.com/search?q=100 replace with http://example.com/search,you can do by this way:

history.replace(null,null,'search')

Hope this helps! :D

score -4 · Answer 9 · answered Jul 25 '11 at 14:32

-4

You can't. It's the browsers decision to send a referer or not. What you can do is hide your referer by using a link anonymizer.

answered Jul 25 '11 at 14:32

Jacob

41,721
6
79
81

score -5 · Answer 10 · answered Feb 27 '17 at 20:28

-5

I was looking for a solution to this as well, and luckily found this Hide My Referrer site. What impressed me is that it even works for https > https requests.

It will generate a link you can use that will do exactly what your looking for.

answered Feb 27 '17 at 20:28

Brian Smith

1,443
5
18
24

4

WTF!?! This exposes the Referer to some untrustworthy 3rd party (hidemyreferrer.com), so it does not solve anything and perhaps makes things even worse. Doing something irregular like this even has a common name: [floriani principle](https://de.wikipedia.org/wiki/Sankt-Florian-Prinzip) – Tino May 23 '17 at 13:10
@Tino - obviously you have no idea how the hide my referrer site works. It just works and is completely safe to use. – Brian Smith Jun 01 '17 at 02:51

Remove http referer

10 Answers10

Linked

Related