Remove http referer

Is it a way to remove or hide http referer information in request header? i want to remove http referrer information of users who goes to other site from my site using a script possibly in javascript python or django

example:

Host	slogout.espncricinfo.com
User-Agent	Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0    
Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8    
Accept-Language	en-us,en;q=0.5    
Accept-Encoding	gzip, deflate    
Accept-Charset	ISO-8859-1,utf-8;q=0.7,*;q=0.7    
Connection	keep-alive
Referer	http://slogout.espncricinfo.com/index.php?page=index&level=login

As of 2015 this is how you prevent sending the Referer header:

Just add this to the head section of the web page:

 <meta name="referrer" content="no-referrer" />

This works both for links and for Ajax requests made by JavaScript code on the page.

Other valid meta options include:

<meta name="referrer" content="unsafe-url" />
<meta name="referrer" content="origin" />
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="referrer" content="origin-when-cross-origin" />

• See if it works for your browser here: http://caniuse.com/#feat=referrer-policy

• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/

Also note that browsers now send the Origin header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" /> the referrer will contain similar information to the Origin header, which is already good from a privacy point of view, since it will hide the exact page the user is in.

Update:

If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" /> to head section of the web page:

var meta = document.createElement('meta');
meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);

There is a cross browser solution in Javascript, it uses Iframes created dynamically, check a proof of concept ( disclaimer: It uses a little JS lib I coded for that purpose).

If you are only interested in hiding the full URL and don't mind keeping your domain name exposed, this small Javascript code does the job.

Your user is at example.com/secret_url_we_want_to_hide, your user clicks a link which is supposed to send them to google.com. but instead of <a href="http://google.com">Go to Google</a>, we use this:

a href="http://example.com/redirect.html#http://google.com">Go to Google</a>

Where /redirect.html is an HTML page containing the following: (Edit: Please see the update!)

<html><head></head><script>
window.location.replace(location.hash.substring(1));
</script></html>

Google.com will see http://example.com/redirect.html in the referrer tag and will never see the actual example.com/secret_url_we_want_to_hide.

UPDATE:

Firefox has a bug with location.hash, the workaround is the following:

<html><head></head><script>
workaround_hash=location.href.split('#').splice(1).join('#');
window.location.replace(workaround_hash);
</script></html>

There are a variety of mechanisms to do that, depending on what browser version you use. For any browser, if the destination is over HTTP, you can "launder" the origin by redirecting to a HTTPS page which then navigates to the target page.

For IE, you can perform the navigation using JavaScript (e.g. window.open) which will suppress the referer. Or you can use META Refresh, but there's a perf cost to that. For WebKit-based browsers, see the NoReferrer LINK REL option: http://www.webkit.org/blog/907/webkit-nightlies-support-html5-noreferrer-link-relation/

<meta name="referrer" content="no-referrer"/>

If you put above code on your page all outgoing links (user clicks) will not send referrer information

Documentation

I had been searching for a similar solution, blank the referrer, but only to count unique visits from a referring website. The problem I had was that, if someone visited my site from a particular link, the visit counter would go up, but if that person refreshed the page, the visitor counter was still going up.

I used google to visit several resources on this topic and yes it was very very difficult to find the answer until someone pointed me to look at php.net for solution.

I found the solution in using

header('Refresh: 0; url=index.php');

But just the above code is not the solution. Solution lies in its placement. Here is the full code:

$ref=@$_SERVER[HTTP_REFERER];
$domain = parse_url($ref, PHP_URL_HOST);

If ($domain === "google.com") 
	{
		header('Refresh: 0; url=index.php'); //Resets header info to host site so that on page refresh, the hit counter does not
	}										 // increase but increases only when someone visits from google url again

After the "refresh", header information changes to that of host site, so on page refresh the "if" statement will not validate and the hit counter will not increase.

You can put your hit counter inside the IF block. You can also program different parameters to log blank hits to your website and different parameters to log over all pageloads/pageviews as well.

Hope it helps.....

Your assumption of accessing Referer header via javascript is not possible. Just like the User-Agent header in http, referer etc cannot be accessed by javascript. The values to these headers are fed by the browser. What you can do is some tricky work around's if you require to do so.

I see no answer mentioning that there is also an HTTP resonse header that sets the policy, Referrer-Policy. Here's how to set it in Apache:

Header add Referrer-Policy "no-referrer"

Or perhaps, weaker but still safe option for sending referrer when accessing links leading only to the same site:

Header add Referrer-Policy "same-origin"

There is another method is using history.replace() method to hide the query string such as ,if you want to http://example.com/search?q=100 replace with http://example.com/search,you can do by this way:

history.replace(null,null,'search')

Hope this helps! :D

You can't. It's the browsers decision to send a referer or not. What you can do is hide your referer by using a link anonymizer.

I was looking for a solution to this as well, and luckily found this [Hide My Referrer][1] site. What impressed me is that it even works for https > https requests.

It will generate a link you can use that will do exactly what your looking for.

[1]: https://hidemyreferrer.com/ "hide my referrer"