Thursday, March 3, 2016

Where Did All the HTTP Referrers Go?

Stephen Merity (via Hacker News):

This leaves two problematic situations:

  • HTTP websites don’t receive referrers from HTTPS websites -- all traffic appears as direct traffic
  • HTTPS websites will send referrers to any other HTTPS website even if it contains sensitive information

The first situation means we lose any understanding of where traffic is coming from, the second situation leads potentially to security vulnerabilities or information leaks. Essentially, if a HTTP website links to another HTTP website, the author of the secure page is lending extra trust just as it’s HTTPS. In most cases, this is not what was intended.


These cases are covered under a new HTML5 called the meta referrer. Now a simple tag can be used, such as <meta name="referrer" content="always">, to specify the exact behaviour of the HTTP Referrer regardless of whether we’re using HTTP or HTTPS.

Update (2016-03-03): To be clear, this tag can help you send referrers to sites that you link to. It doesn’t help you see how visitors are getting to your site unless the source sites adopt it.

Update (2016-06-22): See also: Everything you could ever want to know (and more) about controlling the Referer header.

Comments RSS · Twitter

Leave a Comment