When looking at website analytics, you may notice you can often see where a visitor has come from. How does this work?
The answer is that by default, web browsers tell the server where they came from when a link is clicked.
This is done with the HTTP Referer header (yes, this is a spelling mistake of referrer but that’s what is used).
It is also sent with image requests loaded from a page.
You may think this is a massive privacy leak and you’d be correct. Fortunately you can switch it off.
In Firefox you can go to about:config and find the network.http.sendRefererHeader setting.
This can have a value of 0, 1 or 2.
The default value is 2, which means always send the header. 0 turns this feature off completely and 1 only sends it for user actions (link clicks but not images).
There are a couple of downsides to changing this setting.
The first is that some naive web app frameworks (e.g. Python’s Django) use it for CSRF protection. This isn’t a good way of doing this but we can’t control that. You may have to temporarily re-enable the header (set to 1) to use these sites.
Another downside is that it gives your browser a more unique fingerprint. The further you stray from the defaults the easier it is to track.
You may think withholding the referrer data is unnecessary, given the downsides. Perhaps if more sites respected the DNT header then we wouldn’t need to. Maybe some GDPR enforcement can help in this area.