There are 2 sites:
http://www.site1.com http://www.site2.com http://www.site1.com contains link to http://www.site2.com as
<a href="http://www.site2.com/">link<a/> When user clicks on link from http://www.site1.com browser sends Referer header to http://www.site2.com. Based on Referrer header http://www.site2.com makes some processes.
I wonder if I can fake/change (maybe with javascript, PHP, ...) Referer header or not send it at all?
There are two situations in which you would want to control the Referer header. By the way, Referer is a miss-spelling of the word "referrer".
If you want to control your personal browser not to pass the Referer to site2.com, you can do that with many browser extensions:
The other situation is where you are a webmaster and you want the users of your site (site1.com) not to send the Referer to other sites linked on your site. You can do that in multiple ways:
Refererto HTTP links on your pages served up with SSL/TLS. However, if the links on your pages use HTTPS, then Referer will still be passed over unless explicitly turned off by other means described below. rel="noreferrer" attribute. It is supported by all major browsers.<a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL='http://site2.com/'"></html>'>Link text</a>.Referer by redirecting through an intermediate page. This type of redirection is often used to prevent potentially-malicious links from gaining information using the Referer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing. Here is a simplistic redirection example in PHP:
<?php $url = htmlspecialchars($_GET['url']); header( 'Refresh: 0; url=http://'.$url ); ?> <html> <head> <title>Redirecting...</title> <meta http-equiv="refresh" content="0;url=http://<?php echo $url; ?>"> </head> <body> Attempting to redirect to <a href="http://<?php echo $url; ?>">http://<?php echo $url; ?></a>. </body> </html> As of 2015 this is how you prevent your website from sending the Referer header:
Just add this to the head section of the web page:
<meta name="referrer" content="no-referrer" /> This works both for links and for Ajax requests made by JavaScript code on the page.
Other valid meta options include:
<meta name="referrer" content="unsafe-url" /> <meta name="referrer" content="origin" /> <meta name="referrer" content="no-referrer-when-downgrade" /> <meta name="referrer" content="origin-when-cross-origin" /> • See if it works for your browser here: http://caniuse.com/#feat=referrer-policy
• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/
Note: If you want to remove the referrer by using JavaScript only, I believe you could add the appropriate meta tag dynamically just before making the Ajax request. I have not tested this, however.
Also note that browsers now send the Origin header which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" /> the referrer will contain similar information to the Origin header, which is already good from a privacy point of view, since it will hide the exact page the user is in.
You can't modify the referer header unless you control the calling client, e.g. the browser.
Browsers block modifying the referer, and server-side code can't inject headers into a request as there is no way to get the header from the server to the client, and make the client inject it into the referer header of it's next request.
That's assuming the browser doesn't have a particular vulnerability around header injection from JavaScript though.
An excellent overview of the referral problem and its history can be found in "Stripping referrer for fun and profit".
The same article also contains links to:
<iframe src=about:blank> trick.I would write a python script (see http://docs.python-requests.org/en/latest/ for a great library, if the standard urllib looks complicated) but I think you would be able to spoof the referer using Tamper data / live http header plugin for firefox. Not sure tho, but have a look. There is also other firefox addons the lets you manipulate the referer header. Just search for referer in the firefox addons.
It is not hard to build an HTTP Header.
You only need a terminal and some swiss knife like netcat (It's a tool that lets you do very basics things, like cat on network).
Someting like:
nc << eof www.site2.com 80 GET /somepath/somedest HTTP/1.0 Host: wwww.site2.com Referer: wwww.site1.com . eof Could be enough.
(Note: the dot . at the end is useless, but an empty line marks the end of header)
So the answer is yes it's possible to fake an HTTP Header.
This was done on firefox 19.0
For hiding the referer field, I've used an option in squid proxy server from some years ago, but I'm sure that there must exist some modules or extensions for a browser which would do the trick....
...A quick look in my firefox (v19.0) config let me see that there is an option: network.http.sendRefererHeader.
This option could be set to:
0 Never send the Referer header or set document.referrer.1 Send the Referer header when clicking on a link, and set document.referrer for the following page.2 (Default) Send the Referer header when clicking on a link or loading an image, and set document.referrer for the following page. 
