HTTP - Referer (Referrer)


The referer (or referrer) identifies the URL of the page where a link was clicked (ie where the request originated). It identifies the address of the web page that linked to the resource.

The referer may also be known as the request's initiator.

Its value is given in the referer header field written in a http request (referer is a misspelling of referrer. See HTTP referer note-1)

A referrer source is either:


The client, generally a browser would insert the following header in the http request


How to get the Referer in Javascript

  • In a iframe
var referrer = parent.document.referrer;
// not in a iframe document.referrer;
  • Print



The referrer policy modifies the algorithm used to populate the Referer header when fetching subresources, prefetching, or performing navigations.

It can be set as a response header (Ref)

Example used by Gmail:

Referrer-Policy: strict-origin-when-cross-origin

where the value is explained in the below table.

Value Description
the empty string Basically the default
no-referrer no referrer information is sent
no-referrer-when-downgrade default policy - referer is send from https only to http and from http to https on the same origin (more specifically to trustworthy URL)
same-origin send only with a same origin request
origin send for all request only the origin (ie for, the Referer value would be
strict-origin same as origin policy but only over https
origin-when-cross-origin for cross-origin request: same as origin policy
for same-origin request: send the full referer
strict-origin-when-cross-origin same as the policy origin-when-cross-origin but only over https (Used by gmail)
unsafe-url send always the referer (unsafe because if the page is behind a security wall (not public), you send its url)


Powered by ComboStrap