HTTP Referer in HTTP Requests
Previously, when integrating our system with other sites for login authentication, we used the Referer header. Here’s a summary of what I learned.
What is the Referer Header
HTTP Referer is a field in the HTTP header that tells the server which page the request came from, allowing the server to perform specific processing based on this information.
For example, if my system supports links coming from website A to enable passwordless login, then I need to check the Referer header.
Does window.open() Carry Referer in Link Requests?
Testing shows that IE loses the Referer header, while Edge preserves it, and Chrome definitely preserves it. Therefore, if your site requires the Referer header to be present, it’s recommended to use alternative methods such as location changes or direct hyperlinks.
Related Resources
- https://en.wikipedia.org/wiki/HTTP_referer
- https://75team.com/post/everything-you-could-ever-want-to-know-and-more-about-controlling-the-referer-header-fastmail-blog.html
Final Thoughts
The HTTP Referer header is a useful but sometimes unreliable mechanism for tracking request origins across different browsers. While modern browsers generally support it well, legacy browsers like Internet Explorer may drop the header in certain scenarios. For critical authentication or security use cases, consider implementing additional verification mechanisms alongside Referer checks.