11

I would like to know also if you lose site functionality.

Is this a security benefit that is beneficial than compromising functionality (if compromising at all)?

What I mean by this is one a client side, home network. Does blocking any and all http referer requests benefit the user in privacy? Will sites loose functionality if you do so?

JesseFC
  • 111
  • 1
  • 4
  • 1
    possible duplicate of [Does the practice of blocking an off-site "Referer:" HTTP requests improve website security?](http://security.stackexchange.com/questions/7944/does-the-practice-of-blocking-an-off-site-referer-http-requests-improve-websi) – schroeder Jul 04 '15 at 19:51
  • The referenced question is about referer-based filtering on the server side. I think this question is about client-side removal of the referer header, but it's not clear. – Mark Jul 04 '15 at 21:46
  • Yes, I am talking client based filtering/blocking. Personal purposes – JesseFC Jul 05 '15 at 00:47
  • About "Will sites loose functionality if you do so?", there is at least one example: `https://validator.w3.org/check?uri=referer` checks the validity of the page containing the link pointing to it. If you don't transmit the referer, then this functionality is broken. – Clément Oct 17 '17 at 21:48

2 Answers2

5

Is this a security benefit

It serves no real security purpose, but it serves a privacy purpose.

By blocking the referrer then the sites you visit will not know what site you were previously on (maybe my visit to a clothing website was due to a link I found on a deviant sexual forum discussing how the clothing company has a sale on?).

A lot of companies especially commercial businesses analyse where traffic is coming from to their site, so the prospect of someone seeing a referring page URL is higher than you might think.

Often of course you will have got to the site with your search engine, so the search engine terms will typically be in the address bar and will be accessible to the site. If I searched "how to trick speed cameras" and the most relevant page was on my local police force's website talking about "speed cameras" where they list "how" many they have rolled out and how the new models are harder to "trick" then the search engine might have thought my terms were relevant but I have provided information I did not wish to share with that site (even though I am not ashamed of my choice of search engine, it's the URL which is private).

Finally, to use Tomasz's internal example but to use a scenario more likely, if you got to the link via a company web-page (http://ibm-intranet/Bus_Companies) then it reveals more information about me than I had intended (the fact I potentially work for IBM) to the site I visit.

For me the HTTP referrer represents no risk, but others may feel more comfortable blocking it.

Will sites loose functionality if you do so?

Some sites hate hot-linking to images or files, so they will not allow access to images or files unless the HTTP Referrer states it came from their site and not some other site that happens to be using their resources (both the content and bandwidth) in a way it was not intended.

This wiki link about Referer Hiding (spelt incorrectly in the standards so "Referer" is correct) may be of interest

Matthew1471
  • 1,134
  • 10
  • 14
0

Imagine, that your company has some CRM, which has "friendly" (suggestive) urls. And imagine, that employees click on embedded links. Now, everyone with access to logs of linked domains can see your referers:

crm.internal/list-of-customers-to-block-if-no-purchase.php

crm.internal/list-of-customers-with-stupid-annoying-and-problematic-representatives.php

etc.

It's only an example, how allowing Referer from internal network can lead to information leakage. How serious this leakage can be, is outside the scope of this discussion, but definitely filtering Referer header just-in-case will improve overall company security.

Tomasz Klim
  • 1,456
  • 12
  • 13