185

I know it's possible to get an empty HTTP_REFERER. Under what circumstances does this happen? If I get an empty one, does it always mean that the user changed it? Is getting an empty one the same as getting a null one? and under what circumstances do I get that too?

sideshowbarker
  • 72,859
  • 23
  • 167
  • 174
sameold
  • 17,103
  • 21
  • 61
  • 85

5 Answers5

313

It will/may be empty when the enduser

  • entered the site URL in browser address bar itself.
  • visited the site by a browser-maintained bookmark.
  • visited the site as first page in the window/tab.
  • clicked a link in an external application.
  • switched from a https URL to a http URL.
  • switched from a https URL to a different https URL.
  • has security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
  • is behind a proxy which strips the referrer from all requests.
  • visited the site programmatically (like, curl) without setting the referrer header (searchbots!).
Marcello Mönkemeyer
  • 652
  • 5
  • 29
BalusC
  • 1,040,783
  • 362
  • 3,548
  • 3,513
  • 35
    You might want to add "when the user transitions from a secure (HTTPS) page to an insecure one". – John Pick Apr 03 '12 at 04:50
  • 4
    "visited the site as first page in the window/tab." Even if it was by clicking an on link and opening it in a new window/tab?? Are you sure? That would be a very wrong behavior of the browser – matteo Mar 25 '13 at 00:14
  • Also see here http://stackoverflow.com/questions/21922143/why-isnt-the-referral-removed-for-google-https-http for exeptions to this – GetFree Jan 21 '15 at 04:54
  • @undone - I think that the referrer header is preserved when going from https to https unless the referrer metatag specifies otherwise. Can you cite a source that says otherwise? (ref: http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html) – slang Apr 07 '15 at 14:22
  • @slang I couldn't find the source but I remember that I checked that with old browsers couple of year ago,but apparently that's not the case anymore. – undone Apr 07 '15 at 16:50
  • "has security software installed (antivirus/firewall/etc) which strips the referrer from all requests." has saved my life. Thank you :) – Anjana Silva Feb 22 '16 at 16:26
  • @AnjanaSilva why does a security software do that? – Sandeepan Nath May 18 '16 at 07:02
  • 6
    "switched from a https URL to a different https URL". Are you sure about this? :\ – Oscar Mederos Jun 02 '16 at 05:10
  • links from inside of a Flash app usually do not send the referrer header either. Important if you are still using flash navigation, map, or ads. – leiavoia Oct 11 '16 at 23:28
  • i have no referrer going from an https URL to a different https URL – tofutim Nov 17 '16 at 01:59
  • Or if the link had attribute rel="noreferrer" It is used to prevent private / intranet information leakage. – Noman Riffat Dec 08 '16 at 11:48
  • 7
    By default, switching from an HTTPS URL to a different HTTPS URL does set the full referer. This default policy can however be overridden. https://www.w3.org/TR/referrer-policy/ – Dhaval Kapil Feb 03 '17 at 14:38
  • An esoteric reason could be that some primitive browsers don't support this header (look up the Dorado browser - or rather, don't waste your time looking it up). – Hassan Baig Sep 06 '17 at 21:19
  • @tofutim I have referer from an https to another domain https, also from https to http. I tried this with Google result. – Rick Sep 04 '18 at 04:53
  • in Safari (12.0.2), cmd + click on link or left click and open in new tab, http_referer is empty! – GrandFelix Feb 26 '19 at 09:22
  • is the only truly effective way to track organic vs search traffic by using canonical links with parameters for search engines? – oldboy Jul 25 '19 at 08:26
  • In my case **switched from a https URL to a http URL**. Now Resolved. – Vikas Chaturvedi Jul 25 '19 at 10:06
  • Wouldn't a page refresh (F5) also show a blank referrer? Or am I mistaken? – AaronLS Feb 18 '20 at 19:54
  • When change HTTPS to different HTTPS domains, the domain is included but not path, at least in google search+chrome – NeDark Jan 24 '21 at 18:58
  • based on my experience, and what i read on the internet, the http_referer header is empty in internet explorer – shayuna Oct 17 '21 at 08:35
37

HTTP_REFERER - sent by the browser, stating the last page the browser viewed!

If you trusting [HTTP_REFERER] for any reason that is important, you should not, since it can be faked easily:

  1. Some browsers limit access to not allow HTTP_REFERER to be passed
  2. Type a address in the address bar will not pass the HTTP_REFERER
  3. open a new browser window will not pass the HTTP_REFERER, because HTTP_REFERER = NULL
  4. has some browser addon that blocks it for privacy reasons. Some firewalls and AVs do to.

Try this firefox extension, you'll be able to set any headers you want:

@Master of Celebration:

Firefox:

extensions: refspoof, refontrol, modify headers, no-referer

Completely disable: the option is available in about:config under "network.http.sendRefererHeader" and you want to set this to 0 to disable referer passing.

Google chrome / Chromium:

extensions: noref, spoofy, external noreferrer

Completely disable: Chnage ~/.config/google-chrome/Default/Preferences or ~/.config/chromium/Default/Preferences and set this:

{
   ...
   "enable_referrers": false,
   ...
}

Or simply add --no-referrers to shortcut or in cli:

google-chrome --no-referrers

Opera:

Completely disable: Settings > Preferences > Advanced > Network, and uncheck "Send referrer information"

Spoofing web service:

http://referer.us/

Standalone filtering proxy (spoof any header):

Privoxy

Spoofing http_referer when using wget

‘--referer=url’

Spoofing http_referer when using curl

-e, --referer

Spoofing http_referer wth telnet

telnet www.yoursite.com 80 (press return)
GET /index.html HTTP/1.0 (press return)
Referer: http://www.hah-hah.com (press return)
(press return again)
ThatGuy
  • 14,651
  • 2
  • 27
  • 26
  • [Tamper Data](https://addons.mozilla.org/en-US/firefox/addon/tamper-data/) is another Firefox extension that's worth a look if you want to play with changing referrer values. – Chris Hepner Jul 30 '11 at 02:32
  • I was trying really hard to remember it's name. but my memory betrayed me. Thanks:) – ThatGuy Jul 30 '11 at 02:35
  • @nix `Some browsers limit access to not allow HTTP_REFERER to be passed` Could you please name an example for such browser and/or extension? – Master of Celebration May 15 '12 at 10:49
  • @MasterofCelebration added ways to spoof http_referer into my answer. – ThatGuy May 18 '12 at 18:54
  • Do not use referer.us to spoof / hide your referrer! It [does not work](https://url.rw/?https%3A%2F%2Fhidemyreferrer.com%2Fwhat-is-my-referer%2F) and leaks your information. The only working service right now is this free [hide referrer](https://hidemyreferrer.com/) service. – Brian Smith Mar 30 '17 at 02:44
11

It will also be empty if the new Referrer Policy standard draft is used to prevent that the referer header is sent to the request origin. Example:

<meta name="referrer" content="none">

Although Chrome and Firefox have already implemented a draft version of the Referrer Policy, you should be careful with it because for example Chrome expects no-referrer instead of none (and I have seen also never somewhere).

Joel
  • 15,043
  • 6
  • 49
  • 38
  • browser compatibility table: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy – djvg Nov 29 '19 at 09:52
9

BalusC's list is solid. One additional way this field frequently appears empty is when the user is behind a proxy server. This is similar to being behind a firewall but is slightly different so I wanted to mention it for the sake of completeness.

Night Owl
  • 4,108
  • 4
  • 27
  • 37
0

I have found the browser referer implementation to be really inconsistent.

For example, an anchor element with the "download" attribute works as expected in Safari and sends the referer, but in Chrome the referer will be empty or "-" in the web server logs.

<a href="http://foo.com/foo" download="bar">click to download</a>

Is broken in Chrome - no referer sent.

jmoz
  • 7,564
  • 4
  • 30
  • 33