Server-side http referrer blocking may be achieved by including in the webpage header:<meta name="referrer" content="no-referrer" />
Remove http referer
https://scotthelme.co.uk/a-new-security-header-referrer-policy
However referrer policy is something fairly new, so it is not supported universally across all browsers.
http://caniuse.com/#feat=referrer-policy
To therefore mask the referrer redirection may be used (php):
https://www.willmaster.com/library/security/hiding-referrer-information.php
https://lincolnloop.com/blog/2012/jun/27/referrer-blocking-hard/
But this only ensures the URL of the referring page is masked by a different URL, not an empty string.
Most browsers don't send a referrer when instructed to redirect using the "Refresh" field.
https://en.wikipedia.org/wiki/HTTP_referer#Referrer_hiding
Is there any better way to hide all referrer information more universally?
What if these two approaches are combined:
<head>
<meta name="referrer" content="no-referrer" />
<meta http-equiv="refresh" content="0; URL=<?php echo($_SERVER['QUERY_STRING']) ?>">
</head>
Would the referrer policy here have an effect i.e. block the referrer in a browser that respects referrer policy but one that also sends a referrer when instructed to redirect using the "Refresh" field?
In other words does referrer policy have an effect even when redirection doesn't happen because of user interaction, but because of any other reason such as in this example.
