Referer header
What is the Referer header?
The Referer header is an HTTP request header that identifies the address of the webpage that linked to the resource being requested. When you click a link on one website that takes you to another, your browser includes the Referer header to tell the destination site where you came from. This provides context about the navigation path users take across the web. Despite its importance in web analytics and security, the header is notably misspelled (missing an 'r' in "Referrer"), a quirk that has persisted since the early days of the web.
How does the Referer header work?
When your browser makes an HTTP request to load a webpage, image, or other resource, it automatically attaches the Referer header containing the full URL of the originating page. For example, if you click a link on example.com that takes you to destination.com, your browser sends a request to destination.com that includes "Referer: https://example.com" in the header. The receiving server can then extract and process this information. The header is transmitted with most requests, though there are exceptions—particularly when navigating from HTTPS sites to HTTP sites, where the header is often suppressed for security reasons.
Why is the Referer header important for analytics and security?
For analytics, the Referer header provides invaluable data about where website traffic originates. Site owners can track which external sites drive visitors, which marketing campaigns are effective, and how users navigate within their own site. This information shapes content strategy and informs business decisions.
From a security perspective, the Referer header serves as a basic defense mechanism. Websites can check if requests come from authorized sources, helping prevent cross-site request forgery attacks where malicious sites trick users' browsers into making unwanted requests. However, this same data creates privacy concerns—the header can leak sensitive information contained in URLs, such as search queries, account details, or session identifiers, potentially exposing user activity across different domains.
What are the common misspellings and history of the Referer header?
The correct spelling of the word is "referrer" with two r's, but the HTTP header uses "referer" with just one. This misspelling originated in the early specification of HTTP by Roy Fielding and Henrik Frystyk Nielsen. The error was introduced in the original specification document and has been maintained in all subsequent standards for backward compatibility. Changing it now would break countless systems that rely on the established spelling. This technical misspelling has become so entrenched that many developers now consider "referer" the correct spelling when discussing the HTTP header specifically, while "referrer" remains correct in general English usage.
How can you control or modify Referer header information?
Website owners can control Referer information using the Referrer-Policy HTTP header (note the correct spelling here) or HTML meta tags. This policy defines how much information is included when users navigate away from a site. Options range from no-referrer (sending no information) to unsafe-url (always sending the full URL).
For individual users concerned about privacy, modern browsers offer settings to limit Referer data. Browser extensions can provide more granular control. Additionally, using HTTPS helps protect sensitive information, as browsers typically strip Referer details when navigating from secure to non-secure sites.
Server administrators can implement referrer checking for security, but should avoid relying solely on this method for critical security functions since the header can be easily spoofed by malicious actors using custom HTTP clients or browser developer tools.