You can easily know that 100 people on Twitter have accessed your website, simply by viewing the Referer
sent by the client, note that Twitter does not use Referrer-Policy
and neither content-security-policy
specifies Referrer
.
Without using this resource any user will send Referer:
, imagine that your website is https://website.com
, it has a URL for https://blog.com
.
Whenever the user clicks https://blog.com
will send:
Referer: https://website.com
This indicates that the other site knows that that person came from your website, but in some cases you can get more information, for example:
Referer: https://website.com/admin/monitorar_comentario/123
We understand that you are an administrator of website.com
and that I was monitoring a comment where I wrote the URL of https://blog.com
, that you clicked. In other cases more sensitive data may be present from the URL.
Values:
You can set Referrer Policy
in several ways:
+----------------------------+----------------------------+----------+
| De | Para | Referrer |
+----------------------------+----------------------------+----------+
| https://website.com/post1/ | http://website.com/post2/ | NULO |
| https://website.com/post1/ | https://website.com/post2/ | NULO |
| http://website.com/post1/ | http://website.com/post2/ | NULO |
| http://website.com/post1/ | http://outro-site.com | NULO |
| http://website.com/post1/ | https://outro-site.com | NULO |
| https://website.com/post1/ | http://outro-site.com | NULO |
+----------------------------+----------------------------+----------+
-
no-referrer-when-downgrade :
It will remove Referer
only if a downgrade of procolo occurs if it is from HTTPS to HTTP. However, if it is from an HTTP to HTTP (S) it will send normally, that is both HTTP -> HTTPS
and HTTP -> HTTP
and HTTPS -> HTTPS
will normally send, only HTTPS -> HTTP
that will not send. p>
+----------------------------+----------------------------+----------------------------+
| De | Para | Referrer |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/ | NULO |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/ | http://website.com/post2/ | http://website.com/post1/ |
| http://website.com/post1/ | http://outro-site.com | http://website.com/post1/ |
| http://website.com/post1/ | https://outro-site.com | http://website.com/post1/ |
| https://website.com/post1/ | http://outro-site.com | NULO |
+----------------------------+----------------------------+----------------------------+
+----------------------------+----------------------------+----------------------------+
| De | Para | Referrer |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/ | NULO |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/ | http://website.com/post2/ | http://website.com/post1/ |
| http://website.com/post1/ | http://outro-site.com | NULO |
| http://website.com/post1/ | https://outro-site.com | NULO |
| https://website.com/post1/ | http://outro-site.com | NULO |
+----------------------------+----------------------------+----------------------------+
+----------------------------+----------------------------+---------------------+
| De | Para | Referrer |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/ | https://website.com |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/ | http://website.com/post2/ | http://website.com |
| http://website.com/post1/ | http://outro-site.com | http://website.com |
| http://website.com/post1/ | https://outro-site.com | http://website.com |
| https://website.com/post1/ | http://outro-site.com | https://website.com |
+----------------------------+----------------------------+---------------------+
+----------------------------+----------------------------+---------------------+
| De | Para | Referrer |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/ | NULO |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/ | http://website.com/post2/ | http://website.com |
| http://website.com/post1/ | http://outro-site.com | http://website.com |
| http://website.com/post1/ | https://outro-site.com | http://website.com |
| https://website.com/post1/ | http://outro-site.com | NULO |
+----------------------------+----------------------------+---------------------+
-
origin-when-cross-origin :
It will apply origin
if the destination is an external website, otherwise it will not send Referrer
normally.
+----------------------------+----------------------------+----------------------------+
| De | Para | Referrer |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/ | https://website.com/post1/ |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/ | http://website.com/post2/ | http://website.com/post1/ |
| http://website.com/post1/ | http://outro-site.com | http://website.com |
| http://website.com/post1/ | https://outro-site.com | http://website.com |
| https://website.com/post1/ | http://outro-site.com | https://website.com |
+----------------------------+----------------------------+----------------------------+
-
strict-origin-when-cross-origin :
Even if strict-origin
, it does exactly what origin-when-cross-origin
does, but if there is downgrade (from HTTPS to HTTP) it will remove Referer
.
+----------------------------+----------------------------+----------------------------+
| De | Para | Referrer |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/ | NULO |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/ | http://website.com/post2/ | http://website.com/post1/ |
| http://website.com/post1/ | http://outro-site.com | http://website.com |
| http://website.com/post1/ | https://outro-site.com | http://website.com |
| https://website.com/post1/ | http://outro-site.com | NULO |
+----------------------------+----------------------------+----------------------------+
A question you can ask, why are you so concerned about whether or not it is an HTTP or HTTPS? Several functions have the simple goal of removing Referer
from HTTPS to HTTP, some others ( stric-*
) are careful not to send over HTTP. The truth is that HTTP is not encrypted and therefore anyone can know which page you were accessing. If you were in https://a.com/b/c/d
by clicking to http://evil.com
you can at this point make clear what you were accessing in plain text.
Recommendations:
If you want to ensure greater "anonymity" use no-referer
, is usually what I use . But referer
may be important so try using strict-origin-when-cross-origin
. If you believe you do not have sensitive information in the URL, you can use no-referrer-when-downgrade
, just not to leak Referer
to other people, since it is HTTP .
You can also send different Referrer-Policy
based on DNT
, DNT
is Do Not Track
sent by the user, it has the goal not to be tracked, so you can also send it as no-referer
response to ensure that your system will not monitor it this way.
You, as a user, can also use extensions to remove Referer
in any case, "programmer-independent", as well as block some connections like GoogleAnalitycs, ChartBeats and Clicky, and enable DNT
.
Remembering that the content-security-policy
header already has similar features and has more control power, such as limiting connections made on the website (avoiding XSS) and still limiting element-based connections (ie forms
are different from fonts
that is different from img
...) and also send a hash of the file to prevent malicious alteration. It also allows you to set Referrer
.