Your URLs Are Leaking Private Data to Every Site You Link To
By The bee2.io Engineering Team at bee2.io LLC

The Referer Header: Your Website's Biggest Blabbermouth
Imagine you're browsing the web, minding your own business, clicking links like a normal person. What you probably don't realize is that every single time you click, your browser is essentially tattooing your browsing history onto every website you visit next. It's like walking into a coffee shop while wearing a sandwich board that lists everywhere you've been that morning. "Oh hey, I see you just came from a site about hemorrhoid cream. Cool, cool, cool."
This happens because of something called the HTTP Referer header (yes, it's misspelled in the actual spec, and no, we can't fix it without breaking the entire internet). When your browser requests a resource from a website, it automatically includes information about where you're coming from. Sounds innocent enough, right? Wrong. Dead wrong.
Here's where it gets spicy: that Referer header includes your full URL, which means all your query parameters get sent along for the ride. Query parameters are those little things after the question mark in your URL that often contain search terms, user IDs, session tokens, and other deeply personal information you definitely didn't mean to share with third parties.
Published research suggests that roughly 60-70% of websites are leaking sensitive data through the Referer header on a daily basis. That's not a typo. Most websites. Leaking. Stuff. Every day.
What Your URLs Are Actually Telling Strangers
Let's get concrete here, because abstract privacy violations are boring. Imagine you're on a major e-commerce site looking at a product with a URL like this:
example-shop.com/product?id=12345&user_id=john_doe_98&price=899.99
You click a link to an external review site. Guess what that review site just learned about you? All of that. Your user ID, the specific product you were looking at, the price you were seeing. It's the web development equivalent of putting a padlock on your front door while leaving every window wide open and a neon sign that says FREE STUFF.
And it gets worse. When that review site loads tracking pixels and embeds widgets from ad networks and analytics platforms, those third parties ALSO get your full URL with all its delicious personal data. You've just handed over your information to companies you've never heard of, whose entire business model is knowing things about you that you didn't want them to know.
One major retailer we've scanned was leaking customer session IDs through the Referer header. Session IDs! Those are basically skeleton keys to someone's account. Another popular SaaS platform was broadcasting search queries that included client names and project details. Oopsie.
The Referer Policy: Your Get-Out-of-Jail-Free Card (That Almost Nobody Uses)
Here's the good news: there's actually a solution that's been available for years. It's called the Referrer-Policy header (and yes, they spell it correctly this time, because consistency is apparently optional in web standards).
Website owners can set this header to control exactly what information gets sent in the Referer header. The options include:
- no-referrer - sends nothing. Total information blackout.
- no-referrer-when-downgrade - only sends the Referer if you're going from HTTPS to HTTPS (prevents downgrade attacks).
- same-origin - only sends the Referer to your own domain. Keeps your business to yourself.
- strict-origin-when-cross-origin - sends only the domain (not the full URL) when navigating to other sites. The Goldilocks option.
The problem? Most websites either don't know about this or can't be bothered to implement it. It's like knowing there's a deadbolt for your door but choosing to leave it unlocked because "it's probably fine." Narrator: It was not fine.
What You Actually Need To Do Right Now
If you own or maintain a website, this is your call to action (non-salesy, we promise):
- Add a Referrer-Policy header to your site. Seriously. Today. It takes five minutes. Put this in your HTTP headers or your meta tags: Referrer-Policy: strict-origin-when-cross-origin
- Audit your URLs for sensitive query parameters. If you're passing user IDs, prices, or search terms in the URL, reconsider. Move that stuff to POST requests or sessions.
- Use tools like SCOUTb2 to scan your actual site and see what data you're leaking. Not as a plug, but as a "please for the love of all that is holy, check this."
- Tell your team about this. Make it someone's problem. Preferably someone who deserves it.
The internet doesn't have to be a data leak buffet. You have the power. Use it.
Disclaimer: This article is for informational purposes only and does not constitute legal, professional, or compliance advice. SCOUTb2 is an automated scanning tool that helps identify common issues but does not guarantee full compliance with any standard or regulation.
Stop finding issues manually
SCOUTb2 scans your entire site for accessibility, performance, and SEO problems automatically.