The Referer Problem

In May 1996, a new HTTP header was added into a RFC document. Fittingly named "Referer", originating from a common spelling error, it was a mechanism for checking which site a request originated from.

In the original proposition, it was seen as a solid method of tracking broken links; fixing website errors; and analytical purposes.

Let's take a hypothetical example. I've included a link in my blog which takes you to Twitter. If you were to click this link, Twitter would open. Amazing, right?

But there's a catch.

The request is now sent with Referer:, which tells Twitter you read my blog, and the article you opened Twitter from. This lays a fundamental base for user tracking. It could also be used to monitor which pages a user has browsed.

I also wrote a blog article about DuckDuckGo's attempts to prevent search query leaks in the Referer header. Check it out!

Scary stuff!

Fast track 24 years later to 2020, and Referer is still a problem. It's commonly being used by agencies like Google, e.g. with Google Analytics, to track a user's browsing history on hundreds of millions of websites.

Hmm. I need to review the advice I last put up on here, to ensure it's all correct. Apologies!