PHP: Changing referer with header()

Question

My CMS links to other sites for convenience and I'd like to hide the referer so that other sites don't see the directory and the query string of my CMS. I now have the CMS linking to a PHP file elswhere on my server which in turn redirects to the link via header() but the referer is still from my CMS, not from the linking PHP. Furthermore...

header("Referer: nowhere");
header("Location: $_REQUEST[urltolinkto]");

... doesn't appear to change anything. No matter what I put as referer, it's always the one from my CMS where the user actually clicked on the link.

Can the referer be changed (to the linking PHP), or do I have to use javascript or meta refresh?

Answer 1

You cannot set Referer header manually but you can use location.href to set the referer header to the link used in href but it will cause reloading of the page.

Answer 2

A good solution is to simply use the classic <META HTTP-EQUIV="REFRESH" CONTENT="0; URL=http://www.example.com/">.

In fact, Google Analytics has a help page specifically for this question with users who ask about web-tracking not working on redirects, here: Support.Google.com -> Redirects: Place the tag on redirecting pages. They explain the problem quite well:

If your site uses redirects, the redirecting page becomes the landing page's referrer. For example, if you've changed your site so that index.html now redirects to home.html, then index.html becomes the referrer for home.html....

For this reason, you should place the Analytics tag on the redirecting page as well as on the landing page. This way, the redirecting page will capture the actual referrer information for your reports.

So, just swap out header("Location...") with a massive series of print statements. This feels so inelegant. But it works.

Note: I'm also throwing in a canonical attribute so browsers understand the point of the redirect more clearly.

<?php
    $redirect_url = 'https://www.example.com';
    $google_analytics_configgtag = '12345, this is your api key';
    
    print('<!DOCTYPE HTML><HTML><HEAD>');
    print('<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=' . $redirect_url . '"/>');
    print('<LINK REL="CANONICAL" HREF="' . $redirect_url . '"/>');
    
    if($google_analytics_configgtag) {
?>

    <!-- Global Site Tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=<?php print($google_analytics->configgtag); ?>"></script>
    <script>
          window.dataLayer = window.dataLayer || [];
          function gtag(){dataLayer.push(arguments)};
          gtag('js', new Date());
        
          gtag('config', '<?php print($google_analytics_configgtag); ?>');
    </script>

<?php
    }
print('</HEAD>');
    print('<BODY></BODY></HTML>');
?>

Answer 3

You cannot really change the referer from server-side as it is provided by the browser to the server.

But you can use a service like href.li, just use

 https://href.li/?http://<your-url>

Note: http:// after ? is important or it will not redirect.

Answer 4

The browser does get to choose what referrer to send, but there are ways around it.

HTML5 added meta referrer, most modern browsers will respect it. Just add

<meta name="referrer" content="no-referrer">

to your site's head.

There's also redirection services and other hacks to hide the ref (https redirects, iframe tricks and others).

Answer 5

The Referer header is something the browser sends to the Server. You are changing the respose from the server to the browser, so that will not work this way (unlike the Cookie header). As far as I know you have no server-side control of the browser's behavior on sending the Referer.