Search Results
  1. HTTP (Hypertext Transfer Protocol)
  1. HTTP Headers
  1. Referer
    1. Writing requests (clients)
      1. Referrer Policy
    2. Reading requests (servers)
      1. Broken link tracking
      2. Marketing/analytics
      3. Anti-leech
    3. Writing Documents (users & servers)
      1. Scripting
      2. Referrer Policy
      3. De-referers
    4. Overview table
    5. History
    6. Syntax
      1. Example
    7. Implementations
      1. Analyzing HTTP server logs
      2. Apache HTTPD
      3. Nginx

Referer

Links on the Web are directional from one document to another. A user following a link on a webpage will generate a request to the link target, and the request will contain a Referer header pointing back to the page where the link was found. This allows websites to understand how pages link to each other, how links from other websites are used, and for fixing broken links.

Referer is a misspelling of "Referrer" that happens to save a byte over the wire, see History for details.

The Referer header is typically logged by servers for later analysis.

Writing requests (clients)

Clients should send a Referer header when a user follows a link relation from one document to another.

URIs gathered from other sources may also warrant storing the re, so if the link becomes broken, you can re-import the source webpage.

However, sending a Referer header is prohibited if the referring page is encrypted, and the target page is not; as this would expose the page that the user was visiting from.

The Referer may be either a relative-reference or an absolute-URI, clients should send an absolute-URI because it is less likely to be mishandled by servers.

The Referer URI must not include the userinfo component (username or password), which is not supposed to be sent in the request-line.

While URIs are not secrets, the fact that a user has visited one might be. A client must not leak URIs through cleartext not previously received through cleartext. A user agent MUST NOT send a Referer header field in an unsecured HTTP request if the referring page was received with a secure protocol.

Referrer Policy

Referrer Policy (W3C Editor's Draft) specifies a mechanism that allows webpages to control the Referer behavior for links followed from the same webpage. The policy may be specified with:

  • A Referrer-Policy HTTP header, e.g. Referrer-Policy: no-referrer-when-downgrade
  • A meta tag, e.g. <meta name="referrer" content="no-referrer-when-downgrade" />
  • a referrerpolicy content attribute on an a, area, img, iframe, or link element, e.g. <a href="http://example.com/" referrerpolicy="unsafe-url"></a>
  • the noreferrer link relation on an a, or area element.

Reading requests (servers)

Servers that generate a 404 response to a request may wish to record the Referer header, so that the referring page might be checked for a broken link.

The value of this header should not be shared, even in aggregated form. For example, websites should never list the "top referring websites" on a webpage. The header is strictly informative, and can be set to any value by any person; publishing the usage of the header encourages attackers to make requests with bad values.

Broken link tracking

Web servers responding to responses with 404 Not Found may wish to log the Referer header to understand which webpages are linking to the missing webpage, so that broken links may be fixed.

Marketing/analytics

Aggregating the Referer header values is a simple way to see which other websites are providing you traffic.

Anti-leech

Using the Referer header to block requests made from other websites is called anti-leeching; since a large website embedding an image from a small server is said to "leech" bandwidth.

Since the Referer header is sent by the user-agent and is ultimately under control of the user, there is no reliable way to block cross-domain requests. A common anti-leeching technique is to block any requests containing a Referer header that mismatches the server where the image is hosted.

Writing Documents (users & servers)

Scripting

The value of the referer header is available to scripting through the document.referrer property (note spelling). This is may be used by analytics scripts when recording a page hit, to also record the referring page.

Referrer Policy

Documents and servers that wish to change the Referer header behavior from the default, may use one of a few mechanisms:

  • A Referrer-Policy HTTP header, e.g. Referrer-Policy: no-referrer-when-downgrade
  • A meta tag, e.g. <meta name="referrer" content="no-referrer-when-downgrade" />
  • a referrerpolicy content attribute on an a, area, img, iframe, or link element, e.g. <a href="http://example.com/" referrerpolicy="unsafe-url"></a>

See W3C Referrer Policy: List of Referrer Policies for valid values and more information.

Referrer Policy is supported in most Web browsers since 2018.

De-referers

An alternate, older mechanism of hiding the referring webpage from link targets is by linking to a webpage that itself redirects to the final destination. That server will see a Referer header for the page that has performed the redirection, instead of the page with the link.

Suppose a user is on http://example.com/faq and clicks a link, generating this request:

GET http://example.com/redirect?target=http://example.net/ HTTP/1.1
Referer: http://example.com/faq

This page will issue a redirect using a 303 See Other redirect. The final destination server will only see this request:

GET http://example.net/ HTTP/1.1
Referer: http://example.com/redirect?target=http://example.net/

The server can see that the traffic came from example.com, but the specific page http://example.com/faq is now omitted.

This is a form of open redirect, and should be avoided in favor of Referrer Policy if possible.

Overview table

Name
Referer
Description
Specifies where the request-URI was obtained from.
Direction
Request
Specification
RFC 7231: HTTP/1.1 Semantics and Content ยง5.5.2. Referer

History

1995-03-09
Roy T. Fielding (editor) clarifies that the spellchecker didn't understand "Referrer" either. [http-wg mailing list]
1996-05
"Referer" header appears in RFC 1945 (HTTP/1.0)

Syntax

Referer = absolute-URI / partial-URI

Example

GET /about HTTP/1.1
Host: example.com
Referer: /

Implementations

Analyzing HTTP server logs

  • GoAccess is a real-time log analyzer that can run in your terminal or in a web browser. Run goaccess <logfile> and follow the on-screen setup.

Apache HTTPD

Apache HTTPD supports logging the referring webpage using the %{Referer}i variable with the CustomLog functionality. This is included in the Combined Log Format.

See the Apache HTTP Server Log Files documentation for more information.

Nginx

Nginx by default writes using the Combined Log Format, which includes the value of the Referer header. The log format may be customized, the $http_referer variable in the log_format directive provides the value of the Referer header.

See the ngx_http_log_module documentation for more information.