Return to Answer

There are two situations in which you would want to control the Referer header. By the way, Referer is a miss-spelling of the word "referrer".

If you want to control your personal browser not to pass the Referer to site2.com, you can do that with many browser extensions:

• For Firefox there is RefControl (which I use and am happy with. I use the option "Forge- send the root of the site")
• Chrome has Referer Control

The other situation is where you are a webmaster and you want the users of your site (site1.com) not to send the Referer to other sites linked on your site. You can do that in multiple ways:

• Use SSL/TLS (https) on your site and a security feature of the browser is not to pass the Referer when it uses SSL/TLS.
• Use the HTML5 rel="noreferrer" attribute. It is supported by all major browsers.
• Use a Data URL ('data:') to hide the actual page the link is coming from: <a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://site2.com/&#39;"></html>'>Link text</a>.
• Hide the Referer by redirecting through an intermediate page. This type of redirection is often used to prevent potentially-malicious links from gaining information using the Referer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing.

Here is a simplistic redirection example in PHP:

<?php $url = htmlspecialchars($_GET['url']); header( 'Refresh: 0; url=http://'.$url ); ?> <html> <head> <title>Redirecting...</title> <meta http-equiv="refresh" content="0;url=http://<?php echo $url; ?>"> </head> <body> Attempting to redirect to <a href="http://<?php echo $url; ?>">http://<?php echo $url; ?></a>. </body> </html> 

There are two situations in which you would want to control the Referer header. By the way, Referer is a miss-spelling of the word "referrer".

If you want to control your personal browser not to pass the Referer to site2.com, you can do that with many browser extensions:

• For Firefox there is RefControl (which I use and am happy with. I use the option "Forge- send the root of the site")
• Chrome has Referer Control

The other situation is where you are a webmaster and you want the users of your site (site1.com) not to send the Referer to other sites linked on your site. You can do that in multiple ways:

• Use SSL/TLS (https) on your site and a security feature of the browser is not to pass the Refererto HTTP links on your pages served up with SSL/TLS. However, if the links on your pages use HTTPS, then Referer will still be passed over unless explicitly turned off by other means described below.
• Use the HTML5 rel="noreferrer" attribute. It is supported by all major browsers.
• Use a Data URL ('data:') to hide the actual page the link is coming from: <a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://site2.com/&#39;"></html>'>Link text</a>.
• Hide the Referer by redirecting through an intermediate page. This type of redirection is often used to prevent potentially-malicious links from gaining information using the Referer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing.

Here is a simplistic redirection example in PHP:

<?php $url = htmlspecialchars($_GET['url']); header( 'Refresh: 0; url=http://'.$url ); ?> <html> <head> <title>Redirecting...</title> <meta http-equiv="refresh" content="0;url=http://<?php echo $url; ?>"> </head> <body> Attempting to redirect to <a href="http://<?php echo $url; ?>">http://<?php echo $url; ?></a>. </body> </html> 

There are two situations in which you would want to control the Referer header. By the way, Referer is a miss-spelling of the word "referrer".

If you want to control your personal browser not to pass the Referer to site2.com, you can do that with many browser extensions:

• For Firefox there is RefControl (which I use and am happy with. I use the option "Forge- send the root of the site")
• Chrome has Referer Control

The other situation is where you are a webmaster and you want the users of your site (site1.com) not to send the Referer to other sites linked on your site. You can do that in multiple ways:

• Use SSL/TLS (https) on your site and a security feature of the browser is not to pass the Referer when it uses SSL/TLS.
• Use the HTML5 rel="noreferrer" attribute. The downside to this is that it is not supported by many browsers, I know only Chrome supports it.
• Use a Data URL ('data:') to hide the actual page the link is coming from: <a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://site2.com/&#39;"></html>'>Link text</a>.
• Hide the Referer by redirecting through an intermediate page. This type of redirection is often used to prevent potentially-malicious links from gaining information using the Referer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing.

Here is a simplistic redirection example in PHP:

<?php $url = htmlspecialchars($_GET['url']); header( 'Refresh: 0; url=http://'.$url ); ?> <html> <head> <title>Redirecting...</title> <meta http-equiv="refresh" content="0;url=http://<?php echo $url; ?>"> </head> <body> Attempting to redirect to <a href="http://<?php echo $url; ?>">http://<?php echo $url; ?></a>. </body> </html> 

There are two situations in which you would want to control the Referer header. By the way, Referer is a miss-spelling of the word "referrer".

If you want to control your personal browser not to pass the Referer to site2.com, you can do that with many browser extensions:

• For Firefox there is RefControl (which I use and am happy with. I use the option "Forge- send the root of the site")
• Chrome has Referer Control

The other situation is where you are a webmaster and you want the users of your site (site1.com) not to send the Referer to other sites linked on your site. You can do that in multiple ways:

• Use SSL/TLS (https) on your site and a security feature of the browser is not to pass the Referer when it uses SSL/TLS.
• Use the HTML5 rel="noreferrer" attribute. It is supported by all major browsers.
• Use a Data URL ('data:') to hide the actual page the link is coming from: <a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://site2.com/&#39;"></html>'>Link text</a>.
• Hide the Referer by redirecting through an intermediate page. This type of redirection is often used to prevent potentially-malicious links from gaining information using the Referer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing.

Here is a simplistic redirection example in PHP:

<?php $url = htmlspecialchars($_GET['url']); header( 'Refresh: 0; url=http://'.$url ); ?> <html> <head> <title>Redirecting...</title> <meta http-equiv="refresh" content="0;url=http://<?php echo $url; ?>"> </head> <body> Attempting to redirect to <a href="http://<?php echo $url; ?>">http://<?php echo $url; ?></a>. </body> </html> 

There are two situations in which you would want to control the Referer header. BTW Referer is a miss-spelling of the word "referrer".

If you want to control your personal browser not to pass the Referer to site2.com, you can do that with many browser extensions:

• For Firefox there is RefControl (which I use and am happy with. I use the option "Forge- send the root of the site")
• Chrome has Referer Control

The other situation is where you are a webmaster and you want the users of your site (site1.com) not to send the Referer to other sites linked on your site. You can do that in multiple ways:

• Use SSL/TLS (https) on your site and a security feature of the browser is not to pass the Referer when it uses SSL/TLS.
• Use the HTML5 rel="noreferrer" attribute. The downside to this is that it is not supported by many browsers, I know only Chrome supports it.
• Use a Data URL ('data:') to hide the actual page the link is coming from: <a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://site2.com/&#39;"></html>'>Link text</a>.
• Hide the Referer by redirecting through an intermediate page. This type of redirection is often used to prevent potentially-malicious links from gaining information using the Referer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing.

Here is a simplistic redirection example in PHP:

<?php $url = htmlspecialchars($_GET['url']); header( 'Refresh: 0; url=http://'.$url ); ?> <!-- Fallback using meta refresh. --> <html> <head> <title>Redirecting...</title> <meta http-equiv="refresh" content="0;url=http://<?php echo $url; ?>"> </head> <body> Attempting to redirect to <a href="http://<?php echo $url; ?>">http://<?php echo $url; ?></a>. </body> </html> 

There are two situations in which you would want to control the Referer header. By the way, Referer is a miss-spelling of the word "referrer".

If you want to control your personal browser not to pass the Referer to site2.com, you can do that with many browser extensions:

• For Firefox there is RefControl (which I use and am happy with. I use the option "Forge- send the root of the site")
• Chrome has Referer Control

The other situation is where you are a webmaster and you want the users of your site (site1.com) not to send the Referer to other sites linked on your site. You can do that in multiple ways:

• Use SSL/TLS (https) on your site and a security feature of the browser is not to pass the Referer when it uses SSL/TLS.
• Use the HTML5 rel="noreferrer" attribute. The downside to this is that it is not supported by many browsers, I know only Chrome supports it.
• Use a Data URL ('data:') to hide the actual page the link is coming from: <a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://site2.com/&#39;"></html>'>Link text</a>.
• Hide the Referer by redirecting through an intermediate page. This type of redirection is often used to prevent potentially-malicious links from gaining information using the Referer, for example a session ID in the query string. Many large community websites use link redirection on external links to lessen the chance of an exploit that could be used to steal account information, as well as make it clear when a user is leaving a service, to lessen the chance of effective phishing.

Here is a simplistic redirection example in PHP:

<?php $url = htmlspecialchars($_GET['url']); header( 'Refresh: 0; url=http://'.$url ); ?> <html> <head> <title>Redirecting...</title> <meta http-equiv="refresh" content="0;url=http://<?php echo $url; ?>"> </head> <body> Attempting to redirect to <a href="http://<?php echo $url; ?>">http://<?php echo $url; ?></a>. </body> </html>