The Referer (often misspelled as “Referrer”) HTTP header tells a server which page the visitor came from. For example, if someone clicks a link to your site from another site, their browser typically includes that site’s URL as the Referer.
The Referer header is an important signal in web analytics, security, and access control. It lets website owners:
However, because the header is easy to manipulate or fake, it’s also a common vector for abuse.
Some bots and suspicious scripts send no Referer header at all. While legitimate cases exist (bookmarks, direct navigation, privacy tools), a completely empty Referer – combined with other anomalies – is a risk factor for unwanted automation.
Attackers often set Referer to values they control (malware domains, phishing pages, or even your own site’s URLs) to bypass security checks or inject spam into analytics and logs.
Requests with syntactically invalid or garbage Referer values (http://, random strings, IPs with typos, or odd characters) signal automation or attempts to break scripts.
If Referer matches domains from known malicious sources, spam farms, or previously blacklisted addresses, it’s a clear sign of a threat.
BotBlocker’s Referer analysis includes:
Filtering on Referer is highly effective against many scraping, brute-force, and spam bots, but:
Does Referer filtering block search engines or real users?
Not if you use default, balanced settings. False positives are rare when used alongside User-Agent, Accept-Language, and IP analysis.
Can attackers bypass Referer checks?
Skilled attackers can spoof Referer, but most bots either forget to set it or fill it with junk – easy to catch.
How do I enable Referer filtering?
It’s active by default in BotBlocker’s core logic. Advanced tuning is available for stricter use cases.
