How to Use the HTTP Referer

A web referer offers insight to support customization

http://www shown in address bar

 ilco / Stock.xchng

The information that you see written on websites is only a piece of the data that those sites transmit as they travel from a web server to a person's browser and vice versa. There is also a fair amount of data transfer that happens behind the scenes and if you know how to access that data, you may be able to use it in interesting and useful ways. Let's look at one specific piece of data that is transferred during this process — the HTTP referer.

Referer is a misspelling of the word referrer that was introduced and has remained in the code and the naming of this capability.

What is the HTTP Referer?

The HTTP referer is data that is passed by web browsers to the server to tell you what page the reader was on before he came to the current page. This information can be used on your website to provide extra help, create special offers to targeted users, redirect customers to relevant pages and content, or even to block visitors from coming to your site. Use scripting languages like JavaScript, PHP, or ASP to read and evaluate referrer information. 

Collecting Referer Information With PHP, JavaScript, and ASP

PHP stores referer information in a system variable called HTTP_REFERER. To display the referer on a PHP page, write:

if(isset($_SERVER['HTTP_REFERER'])) {
echo $_SERVER['HTTP_REFERER'];
}

This conditional checks that the variable has a value and then prints it to the screen.

JavaScript uses the DOM to read the referer. Just as with PHP, you should check to make sure that the referer has a value. However, if you want to manipulate that value, you should set it to a variable first. Below is how you would display the referer to your page with JavaScript. Note that the DOM uses the alternate spelling of referrer, adding an extra r in there:

if (document.referrer) {
var myReferer = document.referrer;
document.write(myReferer);
}

Then you can use the referer in scripts with the variable myReferer.

ASP, like PHP, sets the referer in a system variable. Collect that information like this:

if (Request.ServerVariables("HTTP_REFERER")) {
Dim myReferer = Request.ServerVariables("HTTP_REFERER")
Response.Write(myReferer)
}

Use the variable myReferer to adjust your scripts as needed.

Once You Have the Referer, What Can You Do With It?

Once you have the referer data, use it to script your sites in a number of ways. One simple thing that you can do is to just post where you think a visitor came from. Use the referer to display different information depending upon where they came from. For example, you could do the following:

  • General welcome message: Print the referer URL at the top of your page in a general welcome message.
  • Welcome search engine visitors: When someone has arrived at your site from a search engine (i.e. their referer is google.com or bing.com or yahoo.com, etc.), provide them with a little extra information to encourage them to stay longer on your site. 
  • Pass information to forms: If you have a link on your site for people to report problems with the site itself, knowing the referer can be very useful. People will often report problems with a web page without indicating the URL, but you can use the referer information to make a guess about what they are reporting. This script will add the referer to a hidden form field, allowing you some data as to where on the site they may have encountered the problem. 
  • Create a special offer for some visitors: Give people who come from a specific page a special deal on your products or services. This is another example of personalization, where you are shaping their user experience and the content that they see based on their user data. 
  • Send visitors to another page: Send people from a specific referer to another page altogether. Be very careful with this practice, as Google and other search engines might consider this redirection to be misleading and penalize your site.

Block Users with .htaccess by Referer

From a security standpoint, if you experience a lot of spam on your site from one particular domain, block that domain from your site. If you're using Apache with mod_rewrite installed,block them with a few lines. Add the following to your .htaccess file:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} spammer\.com [NC]
RewriteRule .* - [F]

Change the word spammer\.com to the domain you want to block. Put the slash in front of any periods in the domain.

Don't Rely on the Referer

Because the referer is spoofable, you should never use the referer alone for security. It's an add-on to your other security, but if a page should only be accessed by specific people, then you should set a password on it with the htaccess file.