/ Explanations

Protecting user privacy with the referrer header.

Today I will be telling you about the referrer header, and how you can enable it to help keep your users browsing private.

What is a referrer header?

To tell you about the referrer header, we need to talk about browsing the internet.

When you are browsing on the internet, and you click on a link, by default, the link of the page you just visited will be sent with the request. This means the website you have just navigated to knows where you have just come from. Here's an example below:

Interesting, now example.com knows I've just come from google

As seen, a link to the page I was just browsing was sent along to the website I have just loaded. Now you might think this is rather harmless, but if you, for example, navigate from whatever website you have to a company which is keen to harvest data for money, there is another piece of data they have on you. This is is even worse if you have just come from a sensitive site, as they now know your deep dark secrets.

However, if the website operator wants to help you keep your browsing activities secret, they can set up the referrer header to keep you safe.

How can I use the referrer header?

Using the referrer header is pretty simple, but does vary depending on your choice of web server. I'll be going over how to set it up for nginx and apache, and some of the different options you have for the header. If you want to see how to set it up for other software not listed, here's a link: https://blog.appcanary.com/2017/http-security-headers.html#referrer-policy.

Before we go into how to enable it, lets quickly run over a few options the header gives you. To start, we have the option of no-referrer, which means that the site will send no referrer what so ever. This is the best option for your users' privacy but may cause the site to break, if the software your using (like ghost for example) uses the referrer header to make the site work. If this is the case, we have another option, which is the one I would generally recommend: same-origin. This will mean that the referrer header will be sent, but only for the same origin. So if we navigated to https://example.com/page from https://example.com, the referrer header would be sent. But if the navigated to http://example.com/page or https://google.com from https://example.com, no header would be sent.

Right, now let's talk about enabling the referrer header.

Nginx

On nginx, the process is very simple. Open up your server block on which you want to enable this header, and add the following:

add_header Referrer-Policy "same-origin";

If you want to choose a different option, like no-referrer or any of the other options, simple replace same-origin with your desired option. Now, reload nginx, and it should be up and running. You can test this over at https://securityheaders.com:

Great success! We have successfully got the referrer policy working

Using apache? Don't worry, I've got you covered, just read the section below.

Apache

Apache just so happens to also have a pretty easy process for setup. If you haven't done so already, enable the apache headers module with the command a2enmod headers . Then, go to your virtual host file, and enter the following:

Header always set Referrer-Policy "same-origin"

And like with nginx, if you wish to use a different option, simply replace same-origin with your desired option. Reload apache, and it should all be working! Again, you can test this with https://securityheaders.com.

Right, that's all for this week. You should now know how to enable the referrer-header, to increase your users' privacy. I really hope this has been a good, beneficial read. If it has, it would be great if you could share this with your friends. Just as a teaser, I'm planning on releasing a demo of why https and hsts are important soon, so keep an eye out for that!

And as always, feel free to get in touch via whatever contact method takes your fancy on my site. I'm happy to help. See you next time!

Protecting user privacy with the referrer header.
Share this

Subscribe to The Daniel Gray Blog