The Complete Guide to Referrer Privacy — What Leaks, How to Stop It
Every link click sends a Referer HTTP header to the destination. This guide explains exactly what leaks, when, and how to stop it — based on real data from 12 million anonymized links and analysis of 1,000 websites.
Contents
- What the referrer header actually reveals
- Browser referrer rules in 2026 (the full table)
- Who uses referrer anonymization and why
- Why URL shorteners don't help
- How to send zero referrer (the only reliable method)
- Tools to protect your referrer privacy
What the Referrer Header Actually Reveals
When you click a link, your browser automatically sends a Referer HTTP header to the destination website. This header contains the URL of the page you came from — potentially including the specific article, forum thread, search query, or community you were reading.
Example: You're reading a Reddit thread about medication side effects and click a link to a pharmaceutical website. That site receives:
Referer: https://www.reddit.com/r/AskDocs/comments/abc123/side_effects_of_[medication]/The destination now knows: you came from Reddit, you were reading about that specific medication, and combined with your IP address and browser fingerprint, they can build a detailed profile of your interests.
This happens automatically on every click. No tracking scripts required. It's built into HTTP itself.
Browser Referrer Rules in 2026 — The Full Table
Modern browsers apply the Referrer-Policy specification, but the rules are more nuanced than most guides explain:
| Source → Destination | Default Referrer Sent | What Destination Sees |
|---|---|---|
| HTTPS → HTTPS (same domain) | Full URL | Exact page including path and query |
| HTTPS → HTTPS (different domain) | Origin only | Your domain, no path or query |
| HTTPS → HTTP | None | Nothing |
| HTTP → HTTPS | Origin only | Your domain, no path or query |
| HTTP → HTTP (same domain) | Full URL | Exact page including path |
| HTTP → HTTP (different domain) | Full URL | Exact page including path |
The critical exception: Any site can override these defaults with the Referrer-Policy HTTP header. Our analysis of 1,000 websites found 11% use unsafe-url — forcing full URL referrer disclosure on every click leaving their site, regardless of protocol. News sites and e-commerce platforms are the worst offenders.
Who Uses Referrer Anonymization and Why
After processing 12 million link anonymizations through our Dereferer, the data reveals three major use cases that most people don't expect:
1. Corporate Employees (Fastest Growing — Up 340% in 2025)
Corporate networks log all outbound HTTP traffic, including referrer headers. When an employee clicks a link from an internal Slack message, the company's proxy logs both the source (your internal channel) and the destination with full referrer context. Employees use link anonymizers to maintain basic browsing privacy from workplace monitoring infrastructure — not to hide illicit activity, but to reclaim normal human privacy while working.
2. Privacy Researchers
Security researchers investigating suspicious websites need to visit those sites without alerting the operators. A researcher visiting from their organization's IP and referrer announces the investigation. Through an anonymizer, the visit is indistinguishable from any other user.
3. Journalists Covering Sensitive Topics
A journalist investigating a company visits their website. Without anonymization, the company's analytics show a visit from the newsroom's IP, coming from a search for the company's name combined with keywords like "investigation" or "lawsuit." Anonymized, the subject sees nothing useful.
Peak Usage Patterns
- Primary peak: 9–11pm local time — people browsing privately at home after work
- Secondary peak: 12–1pm — lunch hour browsing on work devices
- 89% of users anonymize before sharing in private messaging apps (Signal, Telegram, Discord)
Why URL Shorteners Don't Solve the Problem
A common misconception: "I'll use a URL shortener to hide where the link came from." This is wrong for two reasons:
Most shorteners pass your referrer through. Our testing showed 5 of 8 popular URL shorteners pass the full referrer header unchanged to the destination. TinyURL, for example, offers zero referrer protection — the destination sees exactly where the click originated.
Shorteners that replace the referrer still log your click. Bit.ly replaces the referrer with bit.ly (partial protection) but logs your IP, location, device, browser, and timestamp for every click. You're trading one form of tracking for another.
The only shortener behavior that actually helps privacy is complete referrer stripping — and only 2 of 8 services we tested do this.
How to Send Zero Referrer — The Only Reliable Method
Browser settings alone cannot guarantee zero referrer in all cases. Even with the strictest browser configuration, sites that set Referrer-Policy: unsafe-url in their HTML can force full disclosure.
The only method that works in every case: an anonymizing redirect that sets Referrer-Policy: no-referrer on the intermediate page.
How it works:
- You paste your link into an anonymizer
- The anonymizer generates a redirect link
- When someone clicks it, they go to the anonymizer's server first
- The server forwards them to the destination with
no-referrerpolicy set - The destination receives the click from the anonymizer's domain with zero referrer data
This works regardless of the destination's Referrer-Policy setting, regardless of browser, and regardless of protocol. The destination has no way to extract referrer data that wasn't sent.
Tools to Protect Your Referrer Privacy
- Dereferer — paste any URL, get a clean anonymized link. Zero logs, no account, free. Used for 12 million+ links.
- Hide Referrer Link Generator — generates referrer-free redirect links for sharing in communities or messages
- Privacy Score — checks your overall browser privacy posture including referrer policy handling
Further reading: What 12 million anonymized links reveal about online privacy · HTTP vs HTTPS referrer behavior in detail · 34% of top 1,000 websites have referrer leaks
