HTTP Referer Security Considerations

By Deane Barker on December 24, 2003

HTTP/1.1: Security Considerations: Regarding my earlier post about the Outlook Web Access privacy issue, here’s what I found about HTTP Referer headers in the HTTP 1.1 spec (RFC 2616):

Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

That would be a great feature, but as far as I know, no browser offers this.

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

This may mitigate some of the problem with Outlook Web Access, because a lot of those systems will be using SSL.

Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead.

Another good point, which I mentioned in my earlier post.



  1. “That would be a great feature, but as far as I know, no browser offers this.”

    The Opera browser has exactly this kind of feature. You can download a free version at and choose to disable referer logging (file -> preferences or file -> quick preferences) ;)

Comments are closed. If you have something you really want to say, tweet @gadgetopia.