Referer request header contains the address of the previous web page from which a link to the currently requested page was followed. The
Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, for example.
Note that referer is actually a misspelling of the word "referrer". See HTTP referer on Wikipedia for more details.
Referer header has the potential to reveal information about the browsing history of the user, which is a privacy concern.
You should not link to or include content without first checking the privacy, security and regulatory risks associated, including on pages that do not contain at risk information, but are linked to by them.
For instance, by default a reset password page url will leak to servers hosting content on the page and hosts of links clicked on that page.
There is a subsequent risk on linked pages, that content loaded on that page may be able to access the referrer from document.referrer.
Beware first party hosts considered a lower security risk, such as image hosts, which may become a security liability on these pages as they may get referrers.
Some browsers, like Firefox, also send referrers in views that are not just HTML pages. For instance JsonView will send referrers when URLs are clicked on in the JSON and may reveal private data. For instance it is sometimes common in APIs for the query parameters to be misused for api keys.
Referer header is not sent by browsers if:
- the referring resource is a local "file" or "data" URI,
- an unsecured HTTP request is used and the referring page was received with a secure protocol (HTTPS).
|Header type||Request header|
|Forbidden header name||yes|
- An absolute or partial address of the previous web page from which a link to the currently requested page was followed. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https://username:firstname.lastname@example.org/foo/bar/") are not included.
|RFC 7231, section 5.5.2: Referer||Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content|
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
|Feature||Android webview||Chrome for Android||Edge mobile||Firefox for Android||Opera Android||iOS Safari||Samsung Internet|