The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, for example.

Note that referer is actually a misspelling of the word "referrer". See HTTP referer on Wikipedia for more details.

The Referer header has the potential to reveal information about the browsing history of the user, which is a privacy concern.

You should not link to or include content without first checking the privacy, security and regulatory risks associated, including on pages that do not contain at risk information, but are linked to by them.

For instance, by default a reset password page url will leak to servers hosting content on the page and hosts of links clicked on that page.

There is a subsequent risk on linked pages, that content loaded on that page may be able to access the referrer from document.referrer.

Beware first party hosts considered a lower security risk, such as image hosts, which may become a security liability on these pages as they may get referrers.

Some browsers, like Firefox, also send referrers in views that are not just HTML pages. For instance JsonView will send referrers when URLs are clicked on in the JSON and may reveal private data. For instance it is sometimes common in APIs for the query parameters to be misused for api keys.

A Referer header is not sent by browsers if:

  • the referring resource is a local "file" or "data" URI,
  • an unsecured HTTP request is used and the referring page was received with a secure protocol (HTTPS).
Header type Request header
Forbidden header name yes

Syntax

Referer: <url>

Directives

<url>
An absolute or partial address of the previous web page from which a link to the currently requested page was followed. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https://username:password@example.com/foo/bar/") are not included.

Examples

Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript

Specifications

Specification Title
RFC 7231, section 5.5.2: Referer Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support Yes Yes Yes Yes Yes Yes
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support Yes Yes Yes Yes Yes Yes Yes

See also

Document Tags and Contributors

Last updated by: apeltz,