What Is the HTTP Referer Header?
The HTTP Referer header (note the historical misspelling — it should be "referrer" but has always been spelled "referer" in the spec) is an HTTP request header sent by browsers when navigating from one page to another by clicking a link.
It contains the URL of the page the user was on when they clicked the link. So if you click a link on https://example.com/page-a to visit https://destination.com, the destination receives:
Referer: https://example.com/page-a
Check what Referer your browser is currently sending with our My Referrer Checker.
What Does the Referer Header Reveal?
Depending on the source page, the Referer can expose:
- Search terms — Google search URLs historically contained the query string, leaking your search to every site you clicked through to
- Internal company URLs — If you share a link from your intranet, the destination sees the internal URL structure
- Forum membership — Clicking a link from a private community exposes that community's URL to external sites
- Campaign sources — Marketing teams can see which platform a competitor is running ads on by reading their Referer logs
- Authentication tokens — Some poorly designed applications include session tokens in URLs, which then leak via Referer
- Personal identifiers — User IDs, account numbers, or other identifiers embedded in page URLs
A Brief History of the Referer Header
The Referer header was introduced in HTTP/1.0 in 1996. The misspelling was included in the original proposal by Phillip Hallam-Baker and was carried forward into the RFC standard despite the error being noticed. By the time anyone thought to fix it, too much software depended on the exact spelling.
The Referrer-Policy Header: Controlling What Gets Sent
Website owners can control how much referrer information their site sends when users click outbound links. The Referrer-Policy response header accepts these values:
no-referrer— Never send any referrer informationno-referrer-when-downgrade— Send when navigating HTTPS→HTTPS, suppress for HTTPS→HTTP (browser default)origin— Send only the domain, not the full path (e.g.,https://example.com/instead of the full page URL)origin-when-cross-origin— Full URL for same-origin, domain only for cross-originsame-origin— Only send referrer when staying on the same domainstrict-origin— Send domain only, and suppress for HTTPS→HTTPstrict-origin-when-cross-origin— Current recommended default for most sitesunsafe-url— Always send full URL (discouraged)
How to Remove the Referer Header as a User
You have several options depending on your situation:
Use a Dereferer Service (Easiest)
Our Dereferer wraps any link and strips the Referer header before the visitor reaches the destination. Works for any URL, instantly, free.
Copy and Paste the URL
Pasting a URL directly into the browser address bar instead of clicking a link removes the Referer entirely. The browser treats address bar navigation as a direct visit.
Use the rel="noreferrer" Attribute (For Developers)
Add rel="noreferrer" to any HTML anchor tag to suppress the Referer for that specific link.
Set a Site-Wide Referrer-Policy (For Website Owners)
Add the Referrer-Policy: no-referrer header to your server responses, or use the HTML meta tag: <meta name="referrer" content="no-referrer">
Check Your Current Referrer
Use our My Referrer Checker to see the exact Referer header your browser is sending right now. Navigate to it from different pages to see how the header changes depending on where you came from.
Related Tools
- Dereferer — Strip Referer from any link, batch mode included
- Hide Referrer Link — Create anonymous redirect links
- Referrer Removal Tool — One-click referrer stripping
- HTTP Headers Checker — Inspect all request and response headers
