Read more

Browsers will not send a referrer when linking from HTTPS to HTTP

Avatar
Henning Koch
May 06, 2013Software engineer at makandra GmbH
  • When your site is on HTTPS and you are linking or redirecting to a HTTP site, the browser will not send a referrer.
  • This means the target site will see your traffic as "direct traffic", i.e. they cannot distinguish such hits from a user who directly typed in the URL.

Reasons for this behavior

It's probably because of this RFC Archive :

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more

It's not clear why this SHOULD exists. One might think it's because of session IDs encoded in the URL (something that was in fashion in the 90s), but then again browsers do send referers when linking from HTTPS to HTTPS.

Fixes

Posted by Henning Koch to makandra dev (2013-05-06 17:00)