Remove http referer

http http-headers referrer-policy
shiva picture shiva · Jul 25, 2011 · Viewed 99.1k times · Source

Is it a way to remove or hide http referer information in request header? i want to remove http referrer information of users who goes to other site from my site using a script possibly in javascript python or django

example:

Host    slogout.espncricinfo.com
User-Agent  Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0    
Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8    
Accept-Language en-us,en;q=0.5    
Accept-Encoding gzip, deflate    
Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7    
Connection  keep-alive
Referer http://slogout.espncricinfo.com/index.php?page=index&level=login

Answer

MarcG picture MarcG · Aug 14, 2015

As of 2015 this is how you prevent sending the Referer header:

Just add this to the head section of the web page:

 <meta name="referrer" content="no-referrer" />

This works both for links and for Ajax requests made by JavaScript code on the page.

Other valid meta options include:

<meta name="referrer" content="unsafe-url" />
<meta name="referrer" content="origin" />
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="referrer" content="origin-when-cross-origin" />

• See if it works for your browser here: http://caniuse.com/#feat=referrer-policy

• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/

Also note that browsers now send the Origin header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" /> the referrer will contain similar information to the Origin header, which is already good from a privacy point of view, since it will hide the exact page the user is in.

Update:

If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" /> to head section of the web page:

var meta = document.createElement('meta');
meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);

Related questions

application/x-www-form-urlencoded or multipart/form-data?

In HTTP there are two ways to POST data: application/x-www-form-urlencoded and multipart/form-data. I understand that most browsers are only able to upload files if multipart/form-data is used. Is there any additional guidance when to use one of …

Read More
How do we control web page caching, across all browsers?

Our investigations have shown us that not all browsers respect the HTTP cache directives in a uniform manner. For security reasons we do not want certain pages in our application to be cached, ever, by the web browser. This must …

Read More
Accessing the web page's HTTP Headers in JavaScript

How do I access a page's HTTP response headers via JavaScript? Related to this question, which was modified to ask about accessing two specific HTTP headers. Related: How do I access the HTTP request header fields via JavaScript?

Read More