HTTP referer
Encyclopedia
The referrer, or HTTP referrer — also known by the common misspelling referer that occurs as an HTTP header field — identifies, from the point of view of an Internet
webpage or resource, the address of the webpage (commonly the Uniform Resource Locator
(URL); the more-generic Uniform Resource Identifier
(URI); or the internationalization and localization
(i18n)-updated Internationalized Resource Identifier
(IRI)) of the resource which links to it. By checking the referrer, the new webpage can see where the request originated.
In the most common situation this means that when a user clicks a link
in a web browser
, the browser sends a request to the server holding the destination webpage. The request includes the referrer field, which says the last page the user was on (the one where he/she clicked the link).
Referrer log
ging is used to allow website
s and web server
s to identify where people are visiting them from, for promotional or security purposes. Referrer is a popular tool to combat cross-site request forgery
, but such security mechanisms are weakened by the ease of disabling or forging a referrer. The referrer is widely used for statistical purposes.
A dereferrer is a means to strip the details of the referring website from a link request so that the target website cannot identify the page which was clicked on to originate a request.
(RFC) 1945; document co-author Roy Fielding
has remarked that neither "referrer" nor the misspelling "referer" were recognized by the standard Unix
spell checker
of the period. "Referer" has since become a widely used spelling in the industry when discussing HTTP referrers; usage of the misspelling is not universal, though, as the correct spelling of "referrer" is used in some web specifications such as the Document Object Model
.
More generally, a referrer is the URL of a previous item which led to this request. The referrer for an image, for example, is generally the HTML
page on which it is to be displayed. The referrer field is an optional part of the HTTP request sent by the web browser
to the web server.
Many websites log referrers as part of their attempt to track their users. Most web log analysis software
can process this information. Because referrer information can violate privacy
, some web browsers allow the user to disable the sending of referrer information. Some proxy
and firewall software will also filter out referrer information, to avoid leaking the location of non-public websites. This can, in turn, cause problems: some web servers block parts of their website to web browsers that do not send the right referrer information, in an attempt to prevent deep linking
or unauthorised use of images (bandwidth theft). Some proxy software has the ability to give the top-level address of the target website as the referrer, which usually prevents these problems while still not divulging the user's last-visited website.
Recently many blogs have started publishing referrer information in order to link back to people who are linking to them, and hence broaden the conversation. This has led, in turn, to the rise of referrer spam: the sending of fake referrer information in order to popularize the spammer's website.
Many pornographic paysite
s use referrer information to secure their websites. Only web browsers arriving from a small set of approved (login) pages are given access; this facilitates the sharing of materials among a group of cooperating paysites. Referrer spoofing is often used to gain free access to these paysites.
suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This, of course, raises the problem of referrer spam. The technical details of both methods are fairly consistent — software applications act as a proxy server
and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header.
Most web browsers do not send the referrer field when they are instructed to redirect using the "Refresh" field. This does not include some versions of Opera
and many mobile web browsers. However, this method of redirection is discouraged by the World Wide Web Consortium
(W3C).
If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.
The upcoming standard HTML5 will support the attribute/value rel = "noreferrer" in order to instruct the user agent not to send a referrer.
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
webpage or resource, the address of the webpage (commonly the Uniform Resource Locator
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
(URL); the more-generic Uniform Resource Identifier
Uniform Resource Identifier
In computing, a uniform resource identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network using specific protocols...
(URI); or the internationalization and localization
Internationalization and localization
In computing, internationalization and localization are means of adapting computer software to different languages, regional differences and technical requirements of a target market...
(i18n)-updated Internationalized Resource Identifier
Internationalized Resource Identifier
On the Internet, the Internationalized Resource Identifier is a generalization of the Uniform Resource Identifier . While URIs are limited to a subset of the ASCII character set, IRIs may contain characters from the Universal Character Set , including Chinese or Japanese kanji, Korean, Cyrillic...
(IRI)) of the resource which links to it. By checking the referrer, the new webpage can see where the request originated.
In the most common situation this means that when a user clicks a link
Hyperlink
In computing, a hyperlink is a reference to data that the reader can directly follow, or that is followed automatically. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text with hyperlinks...
in a web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
, the browser sends a request to the server holding the destination webpage. The request includes the referrer field, which says the last page the user was on (the one where he/she clicked the link).
Referrer log
Server log
A server log is a log file automatically created and maintained by a server of activity performed by it.A typical example is a web server log which maintains a history of page requests. The W3C maintains a standard format for web server log files, but other proprietary formats exist...
ging is used to allow website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
s and web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
s to identify where people are visiting them from, for promotional or security purposes. Referrer is a popular tool to combat cross-site request forgery
Cross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
, but such security mechanisms are weakened by the ease of disabling or forging a referrer. The referrer is widely used for statistical purposes.
A dereferrer is a means to strip the details of the referring website from a link request so that the target website cannot identify the page which was clicked on to originate a request.
Origin of the term referer
The misspelling referer originated in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the field into the HTTP specification. The misspelling was set in stone by the time of its incorporation into the standards document Request for CommentsRequest for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
(RFC) 1945; document co-author Roy Fielding
Roy Fielding
Roy Thomas Fielding is an American computer scientist, one of the principal authors of the HTTP specification, an authority on computer network architecture and co-founder of the Apache HTTP Server project....
has remarked that neither "referrer" nor the misspelling "referer" were recognized by the standard Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
spell checker
Spell checker
In computing, a spell checker is an application program that flags words in a document that may not be spelled correctly. Spell checkers may be stand-alone capable of operating on a block of text, or as part of a larger application, such as a word processor, email client, electronic dictionary,...
of the period. "Referer" has since become a widely used spelling in the industry when discussing HTTP referrers; usage of the misspelling is not universal, though, as the correct spelling of "referrer" is used in some web specifications such as the Document Object Model
Document Object Model
The Document Object Model is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. Aspects of the DOM may be addressed and manipulated within the syntax of the programming language in use...
.
Details
When visiting a webpage, the referrer or referring page is the URL of the previous webpage from which a link was followed.More generally, a referrer is the URL of a previous item which led to this request. The referrer for an image, for example, is generally the HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
page on which it is to be displayed. The referrer field is an optional part of the HTTP request sent by the web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
to the web server.
Many websites log referrers as part of their attempt to track their users. Most web log analysis software
Web log analysis software
Web log analysis software is a simple kind of Web analytics software that parses a log file from a web server, and based on the values contained in the log file, derives indicators about who, when, and how a web server is visited...
can process this information. Because referrer information can violate privacy
Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
, some web browsers allow the user to disable the sending of referrer information. Some proxy
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
and firewall software will also filter out referrer information, to avoid leaking the location of non-public websites. This can, in turn, cause problems: some web servers block parts of their website to web browsers that do not send the right referrer information, in an attempt to prevent deep linking
Deep linking
On the World Wide Web, deep linking is making a hyperlink that points to a specific page or image on a website, instead of that website's main or home page. Such links are called deep links.-Example:...
or unauthorised use of images (bandwidth theft). Some proxy software has the ability to give the top-level address of the target website as the referrer, which usually prevents these problems while still not divulging the user's last-visited website.
Recently many blogs have started publishing referrer information in order to link back to people who are linking to them, and hence broaden the conversation. This has led, in turn, to the rise of referrer spam: the sending of fake referrer information in order to popularize the spammer's website.
Many pornographic paysite
Paysite
A paysite, in pornography jargon, is a website that charges money to become a member and view its content, and often produces original adult content. They can be contrasted with "free-sites", which do not charge a membership fee. Most paysites offer "free tours" which allow non-members to view a...
s use referrer information to secure their websites. Only web browsers arriving from a small set of approved (login) pages are given access; this facilitates the sharing of materials among a group of cooperating paysites. Referrer spoofing is often used to gain free access to these paysites.
Referrer hiding
Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. Generally, Internet-securityInternet security
Internet security is a branch of computer security specifically related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud,...
suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This, of course, raises the problem of referrer spam. The technical details of both methods are fairly consistent — software applications act as a proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header.
Most web browsers do not send the referrer field when they are instructed to redirect using the "Refresh" field. This does not include some versions of Opera
Opera (web browser)
Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...
and many mobile web browsers. However, this method of redirection is discouraged by the World Wide Web Consortium
World Wide Web Consortium
The World Wide Web Consortium is the main international standards organization for the World Wide Web .Founded and headed by Tim Berners-Lee, the consortium is made up of member organizations which maintain full-time staff for the purpose of working together in the development of standards for the...
(W3C).
If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.
The upcoming standard HTML5 will support the attribute/value rel = "noreferrer" in order to instruct the user agent not to send a referrer.
See also
- Referrer spam, providing fake referrer information in order to popularize a spammer's website.
- Referrer spoofing, changing referrer information to prevent a web page from gathering accurate data on the identity of the user's previously visited web page.
External links
- RFC 2616: Hypertext Transfer Protocol – HTTP/1.1
- IRI – Internationalized Resource Identifiers