You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Referrer header automatically includes the source URL of a transition, like clicking a link, in the request's Referer header. However, this can unintentionally expose some information.
16
+
The <Lhref='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer'>Referer</L> header automatically includes the source URL of a transition, like clicking a link, in the request's Referer header. However, this can unintentionally expose some information.
17
17
</C>
18
18
<C>
19
19
So let's explore al the ways which allows us to control this behavior.
20
20
</C>
21
21
22
22
<H2>Referrer or Referer?</H2>
23
23
<C>
24
-
In proper English, "Referrer" is correct, but the misspelled "Referer" is used in the HTTP header for historical compatibility. The newly defined Referrer-Policy is spelled correctly though.
24
+
In proper English, "Referrer" is correct, but the misspelled "Referer" is used in the HTTP header for historical compatibility. The <Lhref='https://www.w3.org/TR/referrer-policy/'>newly</L> defined <Lhref='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy'>Referrer-Policy</L> is spelled correctly though.
25
25
</C>
26
26
<H3>The Referer Header</H3>
27
27
<C>
@@ -45,7 +45,7 @@ From an application perspective, the Referer should be treated as auxiliary info
45
45
<H2>Usage</H2>
46
46
47
47
<C>
48
-
There are many ways the Referer header can be used
48
+
There are many ways the Referer header can be used
49
49
</C>
50
50
<H3>Tracking</H3>
51
51
@@ -66,7 +66,7 @@ The header can be checked to combat Cross-Site Request Forgery. However, for for
66
66
</C>
67
67
<H3>Preventing Plagiarism</H3>
68
68
<C>
69
-
Some plagiarism detection tools or services may use `Referer` information as part of their analysis. By analyzing where content is being accessed from and comparing it to known sources or authorized domains
69
+
Some plagiarism detection tools or services may use `Referer` information as part of their analysis. By analyzing where content is being accessed from and comparing it to known sources or authorized domains.
70
70
</C>
71
71
<H2>Risks of Information Leakage</H2>
72
72
<C>
@@ -83,13 +83,13 @@ Jumping to an external page from search results can also reveal project details.
83
83
<C>
84
84
There are many ways to go by this
85
85
</C>
86
-
<H3>Browser Settings</H3>
86
+
<H3>Proxies</H3>
87
87
<C>
88
-
Some browsers allow restricting Referer sending via settings like Firefox's <Lhref='https://support.mozilla.org/en-US/kb/about-config-editor-firefox#w_opening-aboutconfig'>``about:config``</L> or Chrome's command line options. Browser extensions also provide this functionality.
88
+
Organizations often use <Lhref='https://www.ibm.com/docs/en/i/7.3?topic=concepts-proxy-server-types#rzaieproxytypes__forward__title__1'>forward proxies</L> to manage internal network traffic, including controlling the Referer header. This allows selective dropping or rewriting of the Referer based on whether it's an internal or external domain (friendly <Lhref='https://en.wikipedia.org/wiki/Man-in-the-middle_attack'>MITM</L> I suppose), in attempt to not leak information. However, with the widespread adoption of HTTPS, this method is not viable anymore.
89
89
</C>
90
-
<H3>Internal Proxies</H3>
90
+
<H3>Browser Settings</H3>
91
91
<C>
92
-
Companies often use proxies to manage internal network traffic, including controlling the Referer header. This allows selective dropping or rewriting of the Referer based on whether it's an internal or external domain. However, with the widespread adoption of HTTPS, which encrypts traffic end-to-end, traditional proxy methods like <Lhref='https://en.wikipedia.org/wiki/Man-in-the-middle_attack'>MITM</L> have limitations due to encryption complexities.
92
+
Some browsers allow restricting Referer sending via settings like Firefox's <Lhref='https://support.mozilla.org/en-US/kb/about-config-editor-firefox#w_opening-aboutconfig'>``about:config``</L> or Chrome's command line options. Browser extensions also provide this functionality.
93
93
</C>
94
94
<H3>Referrer Policy </H3>
95
95
<C>
@@ -214,7 +214,7 @@ It's important to note that if the Origin header is sent, it conveys similar inf
214
214
-\-**Description:** Reflects the behavior dictated by the User Agent or higher-level specification when Referrer Policy is not explicitly set.
215
215
</C>
216
216
<C>
217
-
These Referrer Policy settings offer varying levels of control over the Referer header to balance privacy and functionality based on different security needs and scenarios. But there are
217
+
These Referrer Policy settings offer varying levels of control over the Referer header to balance privacy and functionality based on different security needs and scenarios. But there are
218
218
</C>
219
219
<H2>
220
220
Ways to Apply Referrer-Policy
@@ -314,5 +314,3 @@ This approach is useful when you cannot modify the content directly (e.g., third
0 commit comments