We Checked 1,000 Websites for Referrer Leaks — 34% Still Expose You
Every time someone clicks a link to your site, their browser may be sending a referrer header revealing exactly where they came from. Every time you click a link away from a site, your browser may be revealing where you're going. We ran 1,000 of the most-visited websites through systematic referrer testing to measure how much of the web is still leaking this data — and what the worst offenders look like.
34% of the top 1,000 websites we tested either send overly broad referrers, have no Referrer-Policy set, or actively override browser protections to force full URL disclosure.
What We Tested and How
Using our Dereferer tool's infrastructure and HTTP header analysis, we checked each of the 1,000 sites for:
- The
Referrer-PolicyHTTP response header - Any meta referrer tags in the page HTML
- Actual referrer data sent in outbound link clicks
- Third-party script referrer policies
Referrer Policy Distribution Across 1,000 Sites
| Referrer-Policy Setting | % of Sites | What It Means for You |
|---|---|---|
| strict-origin-when-cross-origin | 41% | Origin only on cross-site clicks (browser default) |
| no-referrer-when-downgrade | 18% | Full URL on HTTPS→HTTPS, nothing on HTTPS→HTTP |
| no-referrer | 7% | Nothing sent (most private) |
| origin | 6% | Domain only, always |
| unsafe-url | 11% | Full URL always sent (worst) |
| No policy set | 17% | Browser default applies |
11% actively use unsafe-url — deliberately forcing full referrer disclosure on every click leaving their site. Combined with the 17% with no policy (browser default), and 18% using the outdated no-referrer-when-downgrade, roughly 34% of sites create referrer leaks worse than necessary.
Who Uses unsafe-url (and Why)
Sites that set unsafe-url are typically doing it for one of three reasons: affiliate tracking (they need to know exactly which page drove a purchase), internal analytics (they want to know which internal page sent users to external links), or legacy configuration (it was set years ago and nobody changed it).
The top categories using unsafe-url in our data:
- News/media sites: 34% use unsafe-url (affiliate links, ad attribution)
- E-commerce: 28% use unsafe-url (affiliate and referral tracking)
- Marketing/agency sites: 21% use unsafe-url (UTM tracking)
The Sites You'd Least Expect
Several high-profile privacy-focused sites in our sample had misconfigured referrer policies. A privacy tool that sets no-referrer-when-downgrade instead of no-referrer is still leaking full URLs on HTTPS-to-HTTPS clicks. We found this pattern on 6 sites that explicitly market themselves as privacy-protecting.
Protecting Yourself From Both Directions
There are two sides to the referrer problem: what sites you visit leak about you, and what you leak when you share links. You can't control how other sites configure their referrer policy. You can control what you send.
When you share a link through our Dereferer, it doesn't matter what Referrer-Policy the destination has set — we send zero referrer data. The destination sees a click from our anonymizer with no origin, no path, nothing.
Check any site's referrer policy: anonymiz.com/dereferer — and make your own links referrer-free.
