• Posted on September 5, 2017

Prevent Sending HTTP Referer Headers from Your Website

When a user leaves your website through a link or HTTP redirect, a HTTP header of the current page the user is coming from is attached to the new request. In most cases, this isn’t harmful, but there are situations where the URL should be hidden. In this tutorial, you will learn of a few different methods to obscure or remove the HTTP Referer header from the request.

Keep in mind that some of these options may not always work. If a browser implements the standards incorrectly or the user has disabled certain technologies for specific methods, the referral information will be attached to the HTTP header. Using the method below labeled “Exit Page Redirect” should work no matter what technologies are disabled and on older browsers that don’t support the Referrer Policy specification.

Using REL Attribute

Since HTML5, browsers now support more options for the attribute rel for <a> tags. According to the specification, you can provide multiple values to rel by separating each value with a space. One of the new values is noreferrer. This link type will prevent the browser from sending the current page address.

Prevents the browser, when navigating to another page, to send this page address, or any other value, as referrer via the Referer: HTTP header.

Mozilla

Below is an example of using the rel attribute in a link. It can also be used on <area> tags to prevent sending referrer information.

<a href="http://example.com" rel="noreferrer">Example.com</a>

Referrer Policy

The second method is to use the Referrer Policy on your website. With this method, you can either add a <meta> tag to your website or add a referrerpolicy attribute to all hyperlinks on your website. As of September 2017, Referrer Policy is still a working draft and isn’t a web standard yet. The most recent versions of Microsoft Edge, Firefox, Chrome, Safari, Opera, and Android Browser support, at least partially, support the use of Referrer Policy. You can check the browser support at “Can I use Referrer Policy”.

To set all links on your website to omit the referral information, add the below <meta> tag to the <head> section of your website. There are various values you can set instead of “no-referrer” that might be better to use. The option “same-origin” will keep the referrer data when you link to the same origin (domain) but omit the header when you are linking to an external website or a different sub-domain.

<meta name="referrer" content="no-referrer">

If you only want a few links on your page to not send the referrer data, you can specify the Referrer Policy on a per-link basis. Instead of creating a <meta> tag, you will simply add a new attribute referrerpolicy to each link that you want to set a custom policy to.

<a href="http://example.com" referrerpolicy="no-referrer">ReferrerPolicy Attribute</a>

Exit Page Redirect

The only method that should work at the moment without flaw is to have an exit page that you don’t mind having inside of the referer header. Many websites implement this method, including Google and Facebook. Instead of having the referrer data show private information, it only shows the website that the user came from, if implemented correctly. Instead of the referrer data appearing as http://example.com/user/foobar the new referrer data will appear as http://example.com/exit?url=http%3A%2F%2Fexample.com.

This method does require additional programming, but the small PHP example below should hopefully help you get started. The way the method works is by having all external links on your website go to a intermediary page that then redirects to the final page. Below we have a link to the website “example.com” and we URL encode the full URL and add it to the url parameter of our exit page.

<a href="/exit.php?url=http%3A%2F%2Fexample.com">Example.com</a>

Now we have our “exit.php” page code below. We perform some URL validation to make sure the page was given a valid URL and one that has a HTTP or HTTPS scheme. If for some reason the URL is invalid, we decided to redirect the user to the homepage of our website, but you could just as easily change the code to show an error message instead.

<?php
	
	/*
	 * Sets the HTTP headers to redirect the user to a different page
	 * along with settings the HTTP status code to 307 Temporary Redirect
	 */
	function redirect($url) {
		header("Location: {$url}", true, 307);
	}

	/*
	 * Checks if the URL is valid and uses the HTTP or HTTPS scheme.
	 */
	function valid_url($url) {
		if(filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED|FILTER_FLAG_HOST_REQUIRED) === false) {
			return false;
		}

		$scheme = parse_url($url, PHP_URL_SCHEME);
		if($scheme !== "http" && $scheme !== "https") {
			return false;
		}

		return true;
	}


	if(!isset($_GET['url'])) {
		// Missing required argument. What should we do?
		redirect("/");
		exit;
	}else{
		$url = $_GET['url'];
		if(valid_url($url)) {
			redirect($url);
			exit;
		}else{
			// Invalid URL. What should we do?
			redirect("/");
			exit;
		}
	}

Other than directly redirecting the user, you could instead show a splash screen on the “exit.php” page with a link to the final destination. This will still hide the initial page the user is being redirected from while giving the user a warning that they are leaving your website. This is common with banking and government sites as a way to notify the visitor that they are about to visit a different website.

Other Methods and Information

There are a few other methods that partially work along with some information that might be useful to have about the HTTP Referer header. None of them are full solutions that have enough coverage to be added as a single solution.

If you add a SSL/TLS certificate to your website, the referer header won’t be sent if the user is navigating to a site without a SSL/TLS certificate. This isn’t a full solution seeing as it only works on websites that don’t have SSL/TLS certificates. You can learn more about the way SSL/TLS certificates act by reading Section 5.5.2 of RFC 7231

Another option that isn’t great is to use JavaScript on all of your hyperlinks. You will then load a new about:blank window, then once the window loads, you will add a meta redirect to the new blank page. This will get rid of the referrer information, but won’t work if the user has JavaScript disabled.