HTTP vs HTTPS Links: What Your Referrer Header Leaks in Each Case
Most people know HTTPS is more secure than HTTP. Fewer know that the protocol difference dramatically changes how much referrer data leaks when someone clicks your link. After analyzing millions of requests through our Dereferer tool, we can show you exactly what leaks where — and it's not what most privacy guides describe.
The Referrer Rules Most Guides Get Wrong
The common advice is "HTTPS doesn't send referrers to HTTP sites." This is partially true but incomplete. The actual browser behavior follows the Referrer-Policy spec, and the defaults have changed multiple times. Here's the current reality across browser versions in 2026:
| Source → Destination | Default Referrer Sent | What the Destination Sees |
|---|---|---|
| HTTPS → HTTPS (same domain) | Full URL | Exact page you came from |
| HTTPS → HTTPS (different domain) | Origin only | Your domain, no path |
| HTTPS → HTTP | None | Nothing |
| HTTP → HTTPS | Origin only | Your domain, no path |
| HTTP → HTTP (same domain) | Full URL | Exact page you came from |
| HTTP → HTTP (different domain) | Full URL | Exact page you came from |
The key insight: HTTPS to HTTPS cross-domain sends your origin (domain) but not the full path. So if you click a link on Reddit (HTTPS) to a privacy tool (HTTPS), the destination sees https://www.reddit.com — not the specific thread you were in. But if any part of the chain is HTTP, behavior changes significantly.
Where Full URL Leaks Still Happen in 2026
Despite years of browser improvements, full referrer URL leaks still happen in three common scenarios:
1. Sites that override Referrer-Policy. Any site can set Referrer-Policy: unsafe-url in their HTTP headers, forcing full URL referrers regardless of protocol. We found 11% of the top 500 sites do this.
2. HTTP pages still exist. 8% of pages in our data were still served over HTTP in 2026. Links shared from these pages leak full URLs to any destination.
3. Meta referrer tags in page HTML. Sites can set <meta name="referrer" content="always"> to force full referrer disclosure. News and e-commerce sites commonly do this for affiliate tracking.
The Real Privacy Gap: Origin Disclosure
Even the "safe" HTTPS cross-domain case reveals your origin domain. This matters more than people realize:
- A health site knows you came from reddit.com (even without the specific thread)
- A competitor knows you came from your company's domain
- A controversial site knows you came from a specific community
Origin-level disclosure is enough for many profiling purposes. Knowing someone came from reddit.com vs linkedin.com vs a company domain tells you a lot about who they are.
The Only Way to Send Zero Referrer
If you want zero referrer data to reach the destination — not just path-stripped, but no origin either — you need an intermediary that sets Referrer-Policy: no-referrer on the redirect page. That's exactly what our Dereferer does.
The redirect page itself has no referrer passed to it from your browser (since you paste the URL directly), and it sets no-referrer before forwarding. The destination gets a click from our domain with zero referrer attached.
No HTTPS configuration, no browser setting, no extension achieves this across all cases. The only reliable zero-referrer solution is an anonymizing intermediary.
Strip your referrer entirely: anonymiz.com/dereferer — paste any link, get a clean one back.
