Search code examples
securityhttp-headerscross-domainhttp-refererreferrer-policy

In what cases will HTTP_REFERER be empty

I know it's possible to get an empty HTTP_REFERER. Under what circumstances does this happen? If I get an empty one, does it always mean that the user changed it? Is getting an empty one the same as getting a null one? and under what circumstances do I get that too?

Solution

  • It will/may be empty or partial when the enduser

    • entered the site URL in browser address bar itself.
    • visited the site by a browser-maintained bookmark.
    • visited the site as first page in a new window/tab/session, in some browsers.
    • clicked a link on a page having restrictive <meta name="referrer"> tag.
    • clicked a link on a page having restrictive Referrer-Policy header.
    • clicked a link having rel="noreferrer".
    • clicked a link in an external application (i.e. not a webbrowser, e.g. Flash).
    • switched from a https URL to a http URL.
    • has security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
    • is behind a proxy which strips the referrer from all requests.
    • visited the site programmatically (like, curl) without setting the referrer header (bots!).