Referer
Links on the Web are directional from one document to another. A user following a link on a webpage will generate a request to the link target, and the request will contain a Referer header pointing back to the page where the link was found. This allows websites to understand how pages link to each other, how links from other websites are used, and for fixing broken links.
Referer is a misspelling of "Referrer" that happens to save a byte over the wire, see History for details.
The Referer header is typically logged by servers for later analysis.
Writing requests (clients)
Clients should send a Referer header when a user follows a link relation from one document to another.
URIs gathered from other sources may also warrant storing the re, so if the link becomes broken, you can re-import the source webpage.
However, sending a Referer header is prohibited if the referring page is encrypted, and the target page is not; as this would expose the page that the user was visiting from.
The Referer may be either a relative-reference or an absolute-URI, clients should send an absolute-URI because it is less likely to be mishandled by servers.
The Referer URI must not include the userinfo component (username or password), which is not supposed to be sent in the request-line.
While URIs are not secrets, the fact that a user has visited one might be. A client must not leak URIs through cleartext not previously received through cleartext. A user agent MUST NOT send a Referer header field in an unsecured HTTP request if the referring page was received with a secure protocol.
Referrer Policy
Referrer Policy (W3C Editor's Draft) specifies a mechanism that allows webpages to control the Referer behavior for links followed from the same webpage. The policy may be specified with:
- A
Referrer-Policy
HTTP header, e.g.Referrer-Policy: no-referrer-when-downgrade
- A meta tag, e.g.
<meta name="referrer" content="no-referrer-when-downgrade" />
- a
referrerpolicy
content attribute on an a, area, img, iframe, or link element, e.g.<a href="http://example.com/" referrerpolicy="unsafe-url"></a>
- the
noreferrer
link relation on an a, or area element.
Reading requests (servers)
Servers that generate a 404 response to a request may wish to record the Referer header, so that the referring page might be checked for a broken link.
The value of this header should not be shared, even in aggregated form. For example, websites should never list the "top referring websites" on a webpage. The header is strictly informative, and can be set to any value by any person; publishing the usage of the header encourages attackers to make requests with bad values.
Broken link tracking
Web servers responding to responses with 404 Not Found may wish to log the Referer header to understand which webpages are linking to the missing webpage, so that broken links may be fixed.
Marketing/analytics
Aggregating the Referer header values is a simple way to see which other websites are providing you traffic.
Anti-leech
Using the Referer header to block requests made from other websites is called anti-leeching; since a large website embedding an image from a small server is said to "leech" bandwidth.
Since the Referer header is sent by the user-agent and is ultimately under control of the user, there is no reliable way to block cross-domain requests. A common anti-leeching technique is to block any requests containing a Referer header that mismatches the server where the image is hosted.
Writing Documents (users & servers)
Scripting
The value of the referer header is available to scripting through the document.referrer
property (note spelling). This is may be used by analytics scripts when recording a page hit, to also record the referring page.
Referrer Policy
Documents and servers that wish to change the Referer header behavior from the default, may use one of a few mechanisms:
- A
Referrer-Policy
HTTP header, e.g.Referrer-Policy: no-referrer-when-downgrade
- A meta tag, e.g.
<meta name="referrer" content="no-referrer-when-downgrade" />
- a
referrerpolicy
content attribute on an a, area, img, iframe, or link element, e.g.<a href="http://example.com/" referrerpolicy="unsafe-url"></a>
See W3C Referrer Policy: List of Referrer Policies for valid values and more information.
Referrer Policy is supported in most Web browsers since 2018.
De-referers
An alternate, older mechanism of hiding the referring webpage from link targets is by linking to a webpage that itself redirects to the final destination. That server will see a Referer header for the page that has performed the redirection, instead of the page with the link.
Suppose a user is on http://example.com/faq
and clicks a link, generating this request:
GET http://example.com/redirect?target=http://example.net/ HTTP/1.1
Referer: http://example.com/faq
This page will issue a redirect using a 303 See Other redirect. The final destination server will only see this request:
GET http://example.net/ HTTP/1.1
Referer: http://example.com/redirect?target=http://example.net/
The server can see that the traffic came from example.com
, but the specific page http://example.com/faq
is now omitted.
This is a form of open redirect, and should be avoided in favor of Referrer Policy if possible.
Overview table
- Name
- Referer
- Description
- Specifies where the request-URI was obtained from.
- Direction
- Request
- Specification
- RFC 7231: HTTP/1.1 Semantics and Content ยง5.5.2. Referer
History
- 1995-03-09
- Roy T. Fielding (editor) clarifies that the spellchecker didn't understand "Referrer" either. [http-wg mailing list]
- 1996-05
- "Referer" header appears in RFC 1945 (HTTP/1.0)
Syntax
Referer = absolute-URI / partial-URI
Example
GET /about HTTP/1.1
Host: example.com
Referer: /
Implementations
Analyzing HTTP server logs
- GoAccess is a real-time log analyzer that can run in your terminal or in a web browser. Run
goaccess <logfile>
and follow the on-screen setup.
Apache HTTPD
Apache HTTPD supports logging the referring webpage using the %{Referer}i
variable with the CustomLog
functionality. This is included in the Combined Log Format.
See the Apache HTTP Server Log Files documentation for more information.
Nginx
Nginx by default writes using the Combined Log Format, which includes the value of the Referer header. The log format may be customized, the $http_referer
variable in the
See the ngx_http_log_module documentation for more information.