Referrer Leak Test
Free HTTP Referer Check & Policy Tester
Run our free referrer leak test to see if your browser sends HTTP Referer headers that expose your browsing history. This referrer policy tester detects cross-domain referer leakage, URL query string leakage, and session token exposure. Websites and third-party scripts use the Referer header for cross-site tracking — our online referrer header viewer shows exactly what data your browser leaks with every click.
Quick Answer: What Is a Referrer Leak?
A referrer leak happens when your browser sends the HTTP Referer header containing the URL of the page you came from to the next website. This header can expose sensitive data like URL query strings, session tokens, password reset links, and private page paths. Use our free referrer leak test to check what your browser reveals and learn how Referrer-Policy headers like no-referrer and strict-origin-when-cross-origin can stop the leak.
HTTP Referer Check — Live Results
Leak Status
PROTECTED
Referrer Type
None
Query Params Leaked
No
Token/Key Detected
None
Summary
Your browser did not send an HTTP Referer header to this page. This means your previous URL is not exposed — either you navigated directly, your browser or an extension blocked the header, or the linking page used a no-referrer policy. This is the most private outcome. To test a referrer leak, click a link from another website to this page and check the results. For a complete privacy audit, also run our Browser Leak Test and Canvas Fingerprint Test.
Tip: Navigate here from another website to see referrer data.
Jessica Wright
Cybersecurity Threat Researcher
Jessica specializes in HTTP header security, cross-site leak prevention, and referrer policy implementation. She helps developers and privacy-conscious users understand how referrer headers, XS-Leaks, and information disclosure vulnerabilities expose browsing data.
View All Articles by Jessica WrightWhat Is a Referrer Leak Test and Why Does It Matter?
A referrer leak test checks whether your browser sends the HTTP Referer header when you navigate between websites. This header contains the full or partial URL of the page you came from — and it is sent automatically with every click, every embedded image load, and every third-party script request on the page.
According to Wikipedia's article on HTTP referer, the Referer header was introduced in the original HTTP specification and has been a persistent source of information disclosure vulnerabilities ever since. The header can leak URL query strings containing session tokens, password reset links, email addresses, search queries, and private page paths to any external website or tracking script.
Our free HTTP referer check captures the actual Referer header your browser sent to this page (server-side via $_SERVER['HTTP_REFERER']) and also reads the client-side document.referrer value. It parses the URL to detect cross-domain referer leakage, query string exposure, and potential session token exposure.
Key Fact: A 2020 study by researchers at Princeton University found that over 85% of the top 10,000 websites contained at least one external resource that received the full page URL via the Referer header — enabling cross-site tracking without cookies.
How HTTP Referer Headers Work: The Technical Breakdown
Understanding the mechanics of referrer leaks explains why they are so difficult to prevent completely. The Referer header is deeply embedded in how browsers handle navigation.
When the Referer Header Is Sent
Your browser sends the Referer header in these situations: when you click a link to another page, when a page loads embedded resources (images, scripts, iframes), when JavaScript triggers a fetch() or XMLHttpRequest, and when CSS loads external fonts or background images. Every one of these requests can leak your current URL.
What the Header Contains
// Example: What the receiving server sees
// You are on: https://bank.com/account?session=ABC123&user=john
// You click a link to: https://news-site.com/article
// news-site.com receives this HTTP header:
Referer: https://bank.com/account?session=ABC123&user=john
// The news site now knows:
// - You came from bank.com
// - Your session token: ABC123
// - Your username: john
// - The exact page path: /account
Server-Side vs Client-Side Detection
The Referer header exists in two places. On the server, it is available via $_SERVER['HTTP_REFERER'] in PHP or req.headers.referer in Node.js. On the client, JavaScript can read it via document.referrer. Our referrer leak test checks both to give you a complete picture. For testing other browser-level leaks, check your Font Fingerprint and Canvas Fingerprint.
Referrer-Policy Header Explained: All 8 Values Compared
The W3C Referrer Policy specification defines 8 policy values that control how much URL information browsers include in the Referer header. Understanding these is essential for any referrer policy tester result.
| Policy Value | Cross-Origin Behavior | Same-Origin Behavior | Security |
|---|---|---|---|
| no-referrer | Nothing sent | Nothing sent | Maximum |
| strict-origin-when-cross-origin | Origin only (domain) | Full URL | Recommended |
| same-origin | Nothing sent | Full URL | High |
| origin | Origin only | Origin only | Moderate |
| strict-origin | Origin (HTTPS→HTTPS) | Origin only | Moderate |
| origin-when-cross-origin | Origin only | Full URL | Moderate |
| no-referrer-when-downgrade | Full URL (HTTPS→HTTPS) | Full URL | Low |
| unsafe-url | Full URL always | Full URL always | Dangerous |
The current browser default is strict-origin-when-cross-origin (Chrome 85+, Firefox 87+). This sends only the domain name to external sites but the full URL within the same site. For maximum privacy, use no-referrer.
Cross-Domain Referer Leakage: How Third-Party Scripts Steal Your URLs
Cross-domain referer leakage is the most dangerous form of referrer leak. It happens when your full URL — including path and query parameters — is sent to a completely different website or to third-party scripts embedded on the page you are visiting.
The Third-Party Script Problem
Even if you never click an external link, third-party scripts on the page (analytics, ad trackers, social widgets) make their own HTTP requests and receive the Referer header automatically. Google Analytics, Facebook Pixel, and advertising scripts all receive the full URL of every page they are embedded on.
Real-World Leak Scenarios
- Password Reset: URL contains
?token=abc123&email=user@mail.com— any external script on the reset page receives this sensitive token. - Internal Search: URL contains
?q=company+layoff+plans— analytics scripts see your private search queries. - Private Documents: URL contains
/docs/confidential-merger-plan— the page path itself reveals sensitive information. - API Keys: URL contains
?api_key=sk_live_xxx— any third-party script on that page receives your live API key.
Check how your IP and network metadata are exposed separately with our IP Fraud Score Checker and WHOIS Lookup.
Difference Between noreferrer and noopener: 2026 Guide
Two HTML attributes — rel="noreferrer" and rel="noopener" — are often confused. They solve completely different security problems.
| Attribute | What It Does | Security Problem Solved |
|---|---|---|
| rel="noreferrer" | Prevents browser from sending the Referer header | Stops URL leakage and cross-domain referrer tracking |
| rel="noopener" | Prevents new tab from accessing window.opener | Stops reverse tabnabbing attacks (page hijacking) |
| rel="noreferrer noopener" | Both protections combined | Best practice for all external links |
<!-- Recommended: Use both on all external links -->
<a href="https://external-site.com"
target="_blank"
rel="noreferrer noopener">
Visit External Site
</a>
<!-- noreferrer = hides where user came from -->
<!-- noopener = prevents the new page from -->
<!-- accessing window.opener (tabnabbing) -->
For checking other browser security vectors, test your JA3 TLS Fingerprint and WebRTC Leak status.
How to Prevent Referrer Header Leak in 2026
Preventing referrer leaks requires action at multiple levels: server configuration, HTML markup, and browser settings.
Method 1: Server HTTP Header
# Apache (.htaccess)
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# For maximum privacy:
Header always set Referrer-Policy "no-referrer"
Method 2: HTML Meta Tag
<!-- Add to <head> — works even without server access -->
<meta name="referrer" content="no-referrer">
<!-- Or for balanced SEO + privacy: -->
<meta name="referrer" content="strict-origin-when-cross-origin">
Method 3: Per-Link Control
<!-- Block referrer on specific external links -->
<a href="https://external.com" rel="noreferrer noopener">Link</a>
<!-- JavaScript fetch with no referrer -->
fetch('https://api.example.com', {
referrerPolicy: 'no-referrer'
});
Method 4: Browser Settings
Firefox: Enable Enhanced Tracking Protection (Strict mode) which limits cross-site referrers. Brave: Strips referrers to origin by default via Shields. Tor Browser: Sends no referrer headers at all. Chrome: Defaults to strict-origin-when-cross-origin since version 85. Verify your Tor status with our Tor Detection Tool.
Pro Tip: After setting your Referrer-Policy, run our referrer leak test from an external page to verify. Click a link from Google or another site to this page — the terminal will show exactly what your browser sends.
Cross-Site Leaks (XS-Leaks) and Session Token Exposure via Referrer
The HTTP Referer header creates serious security vulnerabilities beyond simple privacy concerns. Two critical risks are XS-Leaks (cross-site leaks) and session token exposure.
XS-Leaks via Referrer
Cross-site leaks exploit the Referer header to infer private information about users. An attacker embeds resources from a target site and monitors the referrer to determine if the user is logged in, what pages they visited, or what data they have access to. This is a form of information disclosure that bypasses same-origin policy.
Session Token Exposure
If a web application includes session tokens, API keys, or authentication codes in the URL (a common but dangerous practice), every external resource on that page receives these credentials via the Referer header. This enables session hijacking — an attacker who controls a third-party script can capture and replay the session token.
Security Alert: Never place sensitive tokens, API keys, or personal data in URL query parameters. Use POST request bodies or HTTP-only cookies instead. If you must use URL parameters, always set Referrer-Policy: no-referrer on pages containing sensitive URLs.
Referrer Leak Test for Privacy-Focused Browsers
Running our referrer leak test on different browsers reveals dramatically different behavior. Here is what each browser sends by default.
| Browser | Default Policy | Cross-Origin Sent | Privacy |
|---|---|---|---|
| Chrome / Edge | strict-origin-when-cross-origin | Origin only | Moderate |
| Firefox (default) | strict-origin-when-cross-origin | Origin only | Moderate |
| Firefox (Strict ETP) | strict-origin-when-cross-origin + trim | Origin only, trackers blocked | High |
| Brave | strict-origin-when-cross-origin | Origin only, trackers stripped | High |
| Safari | strict-origin-when-cross-origin | Origin only + ITP | High |
| Tor Browser | no-referrer (cross-origin) | Nothing sent | Maximum |
Even with strict-origin-when-cross-origin as the default, the origin (domain name) is still sent cross-site. Only no-referrer and Tor Browser completely eliminate the leak.
GDPR Compliance and Referrer Headers: Legal Implications
Under GDPR (General Data Protection Regulation), any data that can identify a person is considered personal data. A Referer header that contains an email address, username, or unique session token meets this definition.
When Referrer Data Becomes Personal Data
- Email in URL:
?email=user@company.com— directly identifying personal data. - User ID in Path:
/users/12345/profile— pseudonymous identifier tied to an individual. - Session Token:
?sid=abc123— can be used to impersonate the user. - Search Queries:
?q=divorce+lawyer+near+me— reveals sensitive personal circumstances.
Developer Responsibility
If your website sends user URLs containing personal data to third-party services via the Referer header, you are transferring personal data to those third parties. Under GDPR, this requires a legal basis (consent, legitimate interest) and must be disclosed in your privacy policy. The simplest fix is setting Referrer-Policy: strict-origin-when-cross-origin to strip paths and query strings from cross-origin requests. This is also relevant under the Privacy Sandbox initiative for reducing cross-site tracking.
For testing how your IP-level privacy is handled under these regulations, check your IP Blacklist Status and IP Geolocation.
How to Fix Cross-Domain Referer Leakage for SEO
SEO professionals often worry that blocking the Referer header will eliminate referral traffic data in Google Analytics. Here is how to balance SEO referral data with cross-domain referer leakage prevention.
The SEO-Privacy Balance
The policy strict-origin-when-cross-origin is the ideal compromise. It sends your domain name (origin) to external sites — so Google Analytics still shows "trustmyip.com" as the referrer source — but hides the specific page path and query parameters. External sites see that traffic came from your domain but not which specific page.
// What Google Analytics sees with each policy:
// no-referrer:
Referral source: (direct) — No SEO referral data ❌
// strict-origin-when-cross-origin (recommended):
Referral source: trustmyip.com — Domain visible, path hidden ✅
// unsafe-url:
Referral source: trustmyip.com/secret-page?key=abc123 — Full leak ❌
Implementation for WordPress and CMS
Most CMS platforms allow adding the Referrer-Policy header via server configuration or plugins. In WordPress, use a security header plugin or add the header to your .htaccess file. This provides site-wide protection without modifying individual links. Check your site's complete secure headers configuration alongside your DNS records and SSL certificate.
Check If Browser Sends Referrer Header to Third-Party Scripts
You can manually verify what your browser sends to third-party scripts using your browser's DevTools. This is the most thorough way to audit referrer leaks beyond our automated test.
Step-by-Step DevTools Audit
- Step 1: Open DevTools (F12 or Ctrl+Shift+I) and go to the Network tab.
- Step 2: Reload the page you want to audit.
- Step 3: Filter by "JS" or "Img" to see third-party resource requests.
- Step 4: Click on any third-party request (e.g., google-analytics.com).
- Step 5: In the Headers panel, look for the
Refererfield under Request Headers. - Step 6: If you see your full page URL including path and query parameters, you have a referrer leak to that third party.
// JavaScript: Check document.referrer programmatically
console.log('Current page referrer:', document.referrer);
// Check the effective Referrer-Policy
const meta = document.querySelector('meta[name="referrer"]');
if (meta) {
console.log('Meta Referrer Policy:', meta.content);
} else {
console.log('No meta referrer tag found — using server header or browser default');
}
Best Free Tool to Check HTTP Referrer Policy: Complete Audit Checklist
Our referrer leak test is the most comprehensive free referrer policy tester available. Here is a complete checklist for auditing your referrer privacy.
8-Step Referrer Privacy Audit
- Step 1: Run our referrer leak test — check the server-side Referer header and client-side
document.referrer. - Step 2: Navigate to this page from an external link (Google, social media) — verify what the referring page leaks.
- Step 3: Check your site's Referrer-Policy HTTP header using DevTools or a secure headers scanner.
- Step 4: Add
rel="noreferrer noopener"to all external<a>tags. - Step 5: Add
<meta name="referrer" content="strict-origin-when-cross-origin">as a fallback. - Step 6: Audit pages with sensitive URL parameters (login, reset, API) — set no-referrer on those pages.
- Step 7: Test your Browser Leaks, Canvas Fingerprint, and Battery Status for a complete privacy audit.
- Step 8: Check your Timezone Dissonance and IP Fraud Score to assess your overall tracking surface.
Frequently Asked Questions About Referrer Leaks
What is a referrer leak test?
A referrer leak test checks if your browser sends the HTTP Referer header when navigating between sites. This header can leak URLs, query strings, session tokens, and private page paths to third-party websites.
How to prevent referrer header leak in 2026?
Set Referrer-Policy: strict-origin-when-cross-origin in your server headers or use <meta name="referrer" content="no-referrer">. Add rel="noreferrer" to external links. Use Firefox Strict ETP, Brave, or Tor Browser.
What is the difference between noreferrer and noopener?
rel="noreferrer" prevents sending the Referer header (URL privacy). rel="noopener" prevents the new tab from accessing window.opener (tabnabbing security). Use both together on external links.
Is my website leaking sensitive data in the referrer header?
If your URLs contain tokens, session IDs, emails, or API keys and your pages load third-party scripts, then yes. Every external resource request receives the full Referer URL unless you set a restrictive Referrer-Policy.
How to fix cross-domain referer leakage for SEO?
Use strict-origin-when-cross-origin — it sends your domain name (preserving analytics referral data) but hides page paths and query parameters from external sites.
Does HTTPS prevent referrer leaks?
Only when navigating from HTTPS → HTTP (downgrade). HTTPS → HTTPS (95% of modern web) still sends the full Referer unless a restrictive Referrer-Policy is set.
Which browsers protect against referrer leaks?
Tor Browser sends no referrer. Brave strips referrers via Shields. Firefox (Strict ETP) trims referrers to trackers. Safari (ITP) limits cross-site referrers. Chrome/Edge default to strict-origin-when-cross-origin.
Check if browser sends referrer header to third-party scripts?
Open DevTools → Network tab → reload page → click any third-party request → check Request Headers for the Referer field. If you see your full URL, that third party received your page data.
Related Privacy & Security Tools
Complete your browser privacy audit.
Is Your Browser Leaking Your Browsing History?
Free HTTP Referer Check & Referrer Policy Tester
Every click sends a referrer header that can expose sensitive URLs, session tokens, and private page paths. Run our free referrer leak test to see what your browser reveals.