http – How does the "Referrer Policy" header work?

Question:

I was doing some tests using Opera browser (same engine/engine as Chrome) and in the HTTP request this is sent:

Referrer Policy: no-referrer-when-downgrade

For example at http://localhost I get this:

Request URL: http://localhost/
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade

On a server without HTTPS :

Request URL:http://pt.stackoverflow.com/
Request Method: GET
Status Code: 200 OK
Remote Address: 151.101.65.69:80
Referrer Policy: no-referrer-when-downgrade

On a server with HTTPS :

Request URL:https://www.reddit.com/r/stackunderflow/
Request Method:GET
Status Code:200 
Remote Address:151.101.93.140:443
Referrer Policy:unsafe-url

On another server with HTTPS I got this:

Request URL:https://pt.meta.stackoverflow.com/
Request Method:GET
Status Code:200 
Remote Address:151.101.193.69:443
Referrer Policy:no-referrer-when-downgrade

And sometimes I get this:

Referrer Policy:origin

My doubt, beyond the meaning of each one and possible values, is to know what the effect of this is for the server that receives the request (or expected effect), or does this have some effect on the browser too?

Answer:

You can easily tell that 100 people from Twitter have accessed your website by simply looking at the Referer sent by the client, note that Twitter does not use Referrer-Policy nor does the content-security-policy specify Referrer .

Without using this feature, any user will send the Referer: , imagine that your website is https://website.com , it has a URL for https://blog.com .

Whenever the user clicks on https://blog.com will send:

Referer: https://website.com

This indicates that the other site knows that person came from your website, but in some cases you can get more information, for example:

Referer: https://website.com/admin/monitorar_comentario/123

We know that you are an admin of website.com and that you were monitoring a comment where I wrote the URL for https://blog.com that you clicked on . In other cases more sensitive data may be present from the URL.


Values:

You can configure the Referrer Policy in several ways:

  • no-refer :

    Will remove the Referer at any time, regardless of source and destination.

+----------------------------+----------------------------+----------+
|             De             |            Para            | Referrer |
+----------------------------+----------------------------+----------+
| https://website.com/post1/ | http://website.com/post2/  | NULO     |
| https://website.com/post1/ | https://website.com/post2/ | NULO     |
| http://website.com/post1/  | http://website.com/post2/  | NULO     |
| http://website.com/post1/  | http://outro-site.com      | NULO     |
| http://website.com/post1/  | https://outro-site.com     | NULO     |
| https://website.com/post1/ | http://outro-site.com      | NULO     |
+----------------------------+----------------------------+----------+
  • no-referrer-when-downgrade :

    It will remove the Referer only if there is a protocol downgrade , if it is from HTTPS to HTTP. However, if it goes from HTTP to HTTP(S) it will send normally, ie either HTTP -> HTTPS or HTTP -> HTTP and HTTPS -> HTTPS will send normally, only HTTPS -> HTTP which will not send.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com/post1/  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com/post1/  |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • same-origin :

    It will remove the Referer if the destination is a website external to the origin or if it is the same website with different protocol.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | NULO                       |
| http://website.com/post1/  | https://outro-site.com     | NULO                       |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • origin :

    It will only send the origin, without the URL path, in any case.

+----------------------------+----------------------------+---------------------+
|             De             |            Para            |      Referrer       |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/  | https://website.com |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com  |
| https://website.com/post1/ | http://outro-site.com      | https://website.com |
+----------------------------+----------------------------+---------------------+
  • strict-origin :

    Identical to the origin but does not accept downgrade from HTTPS to HTTP, so it will remove the Referer if the destination is an HTTP, if the source is an HTTPS.

+----------------------------+----------------------------+---------------------+
|             De             |            Para            |      Referrer       |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com  |
| https://website.com/post1/ | http://outro-site.com      | NULO                |
+----------------------------+----------------------------+---------------------+
  • origin-when-cross-origin :

    It will apply origin if the destination is an external website, otherwise it will send the Referrer normally.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | https://website.com/post1/ |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com         |
| http://website.com/post1/  | https://outro-site.com     | http://website.com         |
| https://website.com/post1/ | http://outro-site.com      | https://website.com        |
+----------------------------+----------------------------+----------------------------+
  • strict-origin-when-cross-origin :

    Even if strict-origin , it does exactly what origin-when-cross-origin does, but if it is downgraded (from HTTPS to HTTP) it will remove Referer .

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com         |
| http://website.com/post1/  | https://outro-site.com     | http://website.com         |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • unsafe-url :

    The browser will always send the Referer independently of anything.


A question I can ask, why so much concern about whether or not it's HTTP or HTTPS? Several functions have the simple objective of removing the Referer if it goes from HTTPS to HTTP, some others ( stric-* ) make a point of not sending over HTTP. The truth is that HTTP is not encrypted and so anyone will be able to know which page you were accessing. If you were at https://a.com/b/c/d when you clicked to http://evil.com you will be able to make it clear at this point, in plain text, what you were accessing.


Recommendations:

If you want to ensure greater "anonymity" use no-referer , usually that's what I use . But the referer can be important so try using strict-origin-when-cross-origin . If you believe you don't have sensitive information in the URL, you can use no-referrer-when-downgrade , just to not leak the Referer to other people, since it's HTTP .

You can also send different Referrer-Policy based on DNT , DNT is Do Not Track sent by user, it is intended not to be tracked, so you can also send it as no-referer reply to ensure your system does not will monitor it this way.

You, as a user, can also use extensions to remove Referer in any case, "independent of programmer", as well as block some connections like GoogleAnalitycs, ChartBeats and Clicky, and enable DNT .


Remembering that the content-security-policy header already has similar features and has greater control power, such as limiting connections made to the website (avoid XSS) and even limiting element-based connections (ie forms are different from fonts which is different from img …) and also send a hash of the file to prevent it from being maliciously altered. It also allows you to define the Referrer .

Scroll to Top