Hiding Referers

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

Hiding Referers is a hack that prevents the logging of the refering URL. This is important when wiki software is used within a private corporate intranet. The referer URL typically contains the page name which might have confidential information such as partner identification or project code names and status.

The standard HTTP_REFERER header sent to a website anytime you link to it allows any of the site to view the originating URL. In the case of Wikis, the URL usually contains the page title and thus might contain confidential information such as project code names. See headers output test page for an example of what an externally linked server can see from you.

This addition (built on the 1.7.1 version) creates external links as:


which hides the true refering page.

UPDATED to handle URLs with & in them—that data doesn't appear to exist in $_GET...

--MHart 17:18, 13 October 2006 (UTC)Reply[reply]


Copy the following script and save it to HideReferer.php somewhere in the web-browseable path of your wiki. Note that a simple header("Location:url") doesn't work—the HTTP_REFERER isn't changed.

     if (isset($_GET['hr_url'])) {
          die("<html><body onLoad='location.href=\"" .
              substr($_SERVER['argv'][0],7))) . "\"'></body></html>");
 function HideReferer($url) {
     global $wg_hr_Referer;

     $newurl = $wg_hr_Referer . "?hr_url=" . $url;
     return $newurl;


$wg_hr_Referer = "http://yoursite.com/HideReferer.php";


In two places, add the call to the HideReferer function: function replaceExternalLinks() and function replaceFreeExternalLinks()

# Normalize any HTML entities in input.... etc...
$url = HideReferer($url);
$url = Sanitizer::decodeCharReferences( $url );

It's the same in both functions, slightly different comments leading up to it.