HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...

, "" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the

URI Uri may refer to: Places * Canton of Uri, a canton in Switzerland * Úri, a village and commune in Hungary * Uri, Iran, a village in East Azerbaijan Province * Uri, Jammu and Kashmir, a town in India * Uri (island), an island off Malakula Isla ...

IRI IRI or I.R.I. refers to: Businesses and organizations * Iringa Airport, an airport in Tanzania serving Iringa and the surrounding Iringa Region by IATA airport code * India Rejuvenation Initiative, an Indian anti-corruption organization form ...

), from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated. In the most common situation, this means that when a user clicks a

hyperlink In computing, a hyperlink, or simply a link, is a digital reference to data that the user can follow or be guided by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text wi ...

in a

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...

, causing the browser to send a request to the server holding the destination web page, the request may include the field, which indicates the last page the user was on (the one where they clicked the link).

Web sites A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wikipe ...

and

web server A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...

log Log most often refers to: * Trunk (botany), the stem and main wooden axis of a tree, called logs when cut ** Logging, cutting down trees for logs ** Firewood, logs used for fuel ** Lumber or timber, converted from wood logs * Logarithm, in mat ...

the content of the received field to identify the web page from which the user followed a link, for promotional or statistical purposes. This entails a loss of

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...

for the user and may introduce a

security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...

risk. To mitigate security risks, browsers have been steadily reducing the amount of information sent in Referer. As of March 2021, by default Chrome,

Chromium Chromium is a chemical element with the symbol Cr and atomic number 24. It is the first element in group 6. It is a steely-grey, lustrous, hard, and brittle transition metal. Chromium metal is valued for its high corrosion resistance and hardne ...

-based

Edge Edge or EDGE may refer to: Technology Computing * Edge computing, a network load-balancing system * Edge device, an entry point to a computer network * Adobe Edge, a graphical development application * Microsoft Edge, a web browser developed by ...

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...

Safari A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an impor ...

default to sending only the origin in cross-origin requests, stripping out everything but the domain name.

Etymology

The misspelling of ''

referrer In HTTP, "" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from which the resource has been requested. By checking the referrer, the server providing the new web ...

'' was introduced in the original proposal by computer scientist

Phillip Hallam-Baker Phillip Hallam-Baker is a computer scientist, mostly known for contributions to Internet security, since the design of HTTP at CERN in 1992. Self-employed since 2018 as a consultant and expert witness in court cases, he previously worked at Comodo ...

to incorporate the header field into the

specification. The misspelling was set in stone by the time (May 1996) of its incorporation into the

Request for Comments A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...

standards document RFC 1945 (which 'reflects common usage of the protocol referred to as "HTTP/1.0"' at that time); document co-author

Roy Fielding Roy Thomas Fielding (born 1965) is an American computer scientist, one of the principal authors of the HTTP specification and the originator of the Representational State Transfer (REST) architectural style. He is an authority on computer network ...

remarked in March 1995 that "neither one ( or referrer) is understood by" the standard Unix spell checker of the period. has since become a widely used spelling in the industry when discussing HTTP referrers; usage of the misspelling is not universal, though, as the correct spelling "referrer" is used in some web specifications such a
the Referrer-Policy HTTP header
or the

Document Object Model The Document Object Model (DOM) is a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document ...

Details

When visiting a web page, the referrer or referring page is the URL of the previous web page from which a link was followed. More generally, a referrer is the URL of a previous item which led to this request. The referrer for an image, for example, is generally the

HTML The HyperText Markup Language or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript ...

page on which it is to be displayed. The referrer field is an optional part of the HTTP request sent by the

to the web server. Many websites log referrers as part of their attempt to track their users. Most

web log analysis software Web log analysis software (also called a web log analyzer) is a kind of web analytics software that parses a server log file from a web server, and based on the values contained in the log file, derives indicators about when, how, and by whom a we ...

can process this information. Because referrer information can violate

, some web browsers allow the user to disable the sending of referrer information. Some proxy and

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...

software will also filter out referrer information, to avoid leaking the location of non-public websites. This can, in turn, cause problems: some web servers block parts of their website to web browsers that do not send the right referrer information, in an attempt to prevent

deep linking In the context of the World Wide Web, deep linking is the use of a hyperlink that links to a specific, generally searchable or indexed, piece of web content on a website (e.g. "http://example.com/path/page"), rather than the website's home page (e ...

or unauthorised use of images ( bandwidth theft). Some proxy software has the ability to give the top-level address of the target website as the referrer, which reduces these problems but can still in some cases divulge the user's last-visited web page. Many blogs publish referrer information in order to link back to people who are linking to them, and hence broaden the conversation. This has led, in turn, to the rise of

referrer spam Referrer spam (also known as referral spam, log spam or referrer bombing) is a kind of spamdexing ( spamming aimed at search engines). The technique involves making repeated web site requests using a fake referrer URL to the site the spammer wi ...

: the sending of fake referrer information in order to popularize the spammer's website. It is possible to access the referrer information on the client side using document.referrer in

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, often ...

. This can be used, for example, to individualize a web page based on a user's search engine query. However, the referrer field does not always include search keywords, such as when using

Google Search Google Search (also known simply as Google) is a search engine provided by Google. Handling more than 3.5 billion searches per day, it has a 92% share of the global search engine market. It is also the most-visited website in the world. The ...

with https.

Referrer hiding

Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. Generally, Internet-security suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This raises the problem of referrer spam. The technical details of both methods are fairly consistent – software applications act as a

proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a reques ...

and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header. Most web browsers do not send the referrer field when they are instructed to redirect using the "Refresh" field. This does not include some versions of

Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libre ...

and many mobile web browsers. However, this method of redirection is discouraged by the

World Wide Web Consortium The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...

(W3C). If a website is accessed from a

HTTP Secure Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is en ...

(HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent. The

HTML5 HTML5 is a markup language used for structuring and presenting content on the World Wide Web. It is the fifth and final major HTML version that is a World Wide Web Consortium (W3C) recommendation. The current specification is known as the HTML ...

standard added support for the attribute/value rel="noreferrer", which instructs the user agent to not send a referrer. Another referrer hiding method is to convert the original link URL to a Data URI scheme-based URL containing small HTML page with a

meta refresh Meta refresh is a method of instructing a web browser to automatically refresh the current web page or frame after a given time interval, using an HTML meta element with the http-equiv parameter set to "refresh" and a content parameter giving the ...

to the original URL. When the user is redirected from the data: page, the original referrer is hidden. Content Security Policy standard version 1.1 introduced a new ''referrer'' directive that allows more control over the browser's behaviour in regards to the referrer header. Specifically it allows the webmaster to instruct the browser not to block referrer at all, reveal it only when moving with the same origin etc.

References

External links

* : Hypertext Transfer Protocol -- HTTP/1.0 * : Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content * {{IETF RFC, 3987, link=no: Internationalized Resource Identifiers (IRIs) * /w3c.github.io/webappsec/specs/referrer-policy/ Referrer Policy - W3C Editor's Draft URI schemes URL Hypertext Transfer Protocol headers Nonstandard spelling