How do I hide referrer info to linked external sites

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Purpose

Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. This system is often called Referrer Hiding.

Confluence users may wish to anonymize external links that exists in their Confluence pages to make sure that the external Websites owners will not be able to see that their sites are being linked in their Confluence page.

This is a difficult problem to solve due to the state of web browsers, and is not something that can be toggled in Confluence itself, but has to rely on the standards of the web to address.

A feature request for this has been closed as 'Won't Fix':  CONF-4085 - Getting issue details... STATUS


Solution


Please note that all the workaround stated in this page are beyond Atlassian Support Offerings.

  1. Using HTTPS regardless of how it impacts referrer data for general security. However, it will *not* hide the referrer when the link points to another HTTPS site.
  2. Add the rel=noreferrer attribute to all your link elements. Use the following Javascript to do this:

    function hideRefer(e) {
    var a = e.target;
    if (a && a.tagName !== 'A') a = a.parentNode;
    if (a && a.tagName === 'A') {
    a.rel = 'noreferrer';
    }
    }
    window.addEventListener('mousedown', hideRefer, true);
    window.addEventListener('keydown', hideRefer, true);
  3.  Modify headers by using proxy. We recommend mod_proxy for Confluence

    1. Using Apache with mod_proxy

  4. Use RequestHeader Directive to 'unset' the referrer header with mod_proxy

    1. http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader

  5. Go to Confluence Admin > Custom HTML and add the following to At end of the HEAD:

    <meta name="referrer" content="no-referrer"/>

    Can break features in Confluence version 7.19 and above

    It has been noticed that setting the above content to no-referrer  can cause the Global Search function not to operate normally whilst using Firefox Web Browser. Please consider using same-site instead of no-referrer to avoid this problem.

    For Firefox Browser:

    The POST call for /rest/wrm/2.0/resources will fail with 403 HTTP response code in HAR and in atlassian-confluence.log file, you will get the following error if <meta name="referrer" content="no-referrer"/> is present in Custom HTML Head section.

    WARN [http-nio-80-exec-09] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: https://<base-url>/rest/wrm/2.0/resources , origin: null , referrer: null , credentials in request: true , allowed via CORS: false
     -- url: /rest/wrm/2.0/resources | userName: admin | traceId: 5c1a7d9be319994d

Last modified on Jul 1, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.