Hide the HTTP-Referer using HTML and JS

Here’s a static HTML / JS page that you can use when you compose links to other sites if you wish to protect the address of the document that refers tp those links.


  Static page for redirecting to a separate page.
  This changes the HTTP-Referer so that the original page is

  Copyright (c) 2014 by Jim Lawless
  See MIT/X11 license at

<head><title>Ditch your HTTP-Referer</title>
<script type="text/javascript">
function pass_it_on() {
   var l=window.location+"";
   var dsp=document.getElementById("display");
   var qsloc=l.indexOf("?");
   if(qsloc>=0) {
      var query_string=unescape(l.substring(qsloc+1));
      dsp.innerHTML="Redirecting to " + query_string;
<body onload="pass_it_on();">

<div id="display">

If you stage this document on a web-server on your machine at localhost and you wish to use a link to https://lawlessguy.wordpress.com in another page, you could use the following URL in an anchor tag:


The HTTP-Referer header would refer to your redir.htm document … not the page where you host the anchor tag above.


About Jim Lawless

I've been programming computers for about 37 years ... 31 of that professionally. I've been a teacher, I've worked as a consultant, and have written articles here and there for publications like Dr. Dobbs Journal, The C/C++ Users Journal, Nuts and Volts, and others.
This entry was posted in Programming and tagged , . Bookmark the permalink.

2 Responses to Hide the HTTP-Referer using HTML and JS

  1. KD says:

    Hi Jim .. Is it possible for me to hide the link to the external js file that is referenced in the header script of my webpage?

    Thanks for your response!

    • Jim Lawless says:

      That’s a little different than what’s described above, but the short answer is ultimately, “no.” You can obfuscate the reference by creating your own script element with some JS and set the “src” attribute to your desired JS file. ( See any article that details the way that JSONP works for an explanation. )

      Unfortunately, anything your browser loads can be viewed pretty easily either by the browser’s debugger or by a proxy/debugging proxy like Fiddler. So, once the browser de-obfuscates the link and loads your JS, it will just show up as an HTTP GET in Fiddler or your debugger with the full hostname and URI.

      There are probably ways with HTML5 and local storage for you to store fragments of JS and reassemble them locally. I just don’t know how I would begin to do something like that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s