Hiding the HTTP Referer with PHP, JS or Meta Refresh

So there’s been some talk recently in some blogs on the interwebs regarding cloaking/masking/hiding HTTP REFERERs to protect your traffic sources.

I did some simple testing of my own and thought I’d share my results and some sample code to help some people out with a simple jump/redirect script. The three basic ways to accomplish a redirect are via javascript, meta refr
esh, or an HTTP 30x header. The former two are sent within HTML and the latter is sent before any HTML output to the browser.

Here’s a sample of each:


Javascript Redirect:
<script type="text/javascript">
<!--
window.location = "http://www.example.com/"
//-->
</script>

Meta Refresh:
<meta http-equiv="refresh" content="5;url=http://example.com"/>

HTTP 302 Header Redirect in PHP
<?php header('Location: http://www.example.com',true,302); exit; ?>

The odd thing I found was that IE handles javascript and meta refreshes slightly differently than FireFox or Safari. Internet Explorer will null the REFERER when it hits the target site, while FireFox and Safari will both set the REFERER to the URL with the javascript or meta refresh code on it.

If you want to cloak an Internet Explorer redirect, you’ll have to follow xmcp‘s frame/iframe suggestions. If you’re fine with blanking the REFERER in IE and sending a masked REFERER in FF and Safari, the example below may be useful (coded in php).


<?php
// Filename jump.php
// syntax http://www.example.com/jump.php?url=http://myaffiliateurl.com?id=myid
$url = htmlspecialchars($_GET['url']); // clean the url
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="refresh" content="3;url=<?php echo $url; ?>"/>
</head>
<body>
<div style="height:300px;line-height:300px;text-align:center">
<a href="<?php echo $url; ?>">Click here to continue</a>
</div>
<script type="text/javascript">
<!--
window.location = "<?php echo $url; ?>"
//-->
</script>
</body>
</html>

One additional note, if you are redirecting from an encrypted HTTPS (SSL) page to an HTTP url, the REFERER is not supposed to be passed. This may or may not be the case, in my testing… a regular a href link will pass a blank REFERER, but an a href= to the HTTPS which does a 302 to a HTTP host DOES pass the REFERER. Make sure to always test your intermediate jump script if referer cloaking/hiding is important to you!

5 thoughts on “Hiding the HTTP Referer with PHP, JS or Meta Refresh

  1. Meta and PHP referring blanking is pretty much useless. It won’t work since the browser knows where its coming from and where its going. Only way i found to hide the referrer consistently is by using anonymous link websites like http://lynkto.net and so on.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>