Normally, this header is included in most HTTP requests (and
preserved across HTTP-level redirects), except in the following
After organically entering a new URL into the address bar or
opening a bookmarked page.
When the navigation originates from a pseudo-URL document, such
When the request is a result of redirection controlled by the
Refresh header (but not a Location-based one).
Whenever the referring site is encrypted but the requested page
isnât. According to RFC 2616 section 15.1.2, this is done for
privacy reasons, but it does not make a lot of sense. The
Referer string is still disclosed to third parties when one
navigates from one encrypted domain to an unrelated encrypted
one, and rest assured, the use of encryption is not synonymous
If the user decides to block or spoof the header by tweaking
browser settings or installing a privacy-oriented plug-in.