Referer

The Referer header (yes, misspelled — the 1996 HTTP spec set the canonical form to “Referer” and the typo became standard) is sent by browsers on most requests, containing the URL of the page the user was on when they triggered the request.

Used for:

• Web analytics — “where did this traffic come from?”
• Hot-link prevention — image hosts checking that requests originate from approved sites.
• CSRF defence-in-depth — some apps verify Referer matches the expected origin.
• Affiliate attribution — tracking which partner site drove a conversion.

Modern privacy concern: the full URL — including any tokens, search queries, or PII in the URL path — leaks to every third-party resource the page loads. The Referrer-Policy response header (note: correctly spelled this time) controls how much referrer information browsers send:

• no-referrer: never send a Referer header.
• same-origin: send full URL to same-origin requests, nothing to others.
• strict-origin-when-cross-origin: send origin only to cross-origin HTTPS requests. Modern browser default.
• unsafe-url: send full URL always. Avoid.

For privacy-sensitive applications, set a strict policy on every response.