Improving Privacy with Referer Control in Chrome — Tips & Tricks

Referer Control for Chrome — Best Settings for Privacy and Compatibility

Overview (Feb 8, 2026): Referer Control is a Chrome extension that lets you modify the HTTP Referer header Chrome sends when navigating between sites. Proper configuration improves privacy by reducing cross-site tracking while keeping site functionality intact.

How it works

• The extension intercepts outgoing requests and replaces, strips, or restricts the Referer header according to rules you set.
• Rules can target domains, subdomains, paths, or use wildcards. You can set defaults plus site-specific exceptions.

Recommended global settings

• Default policy: Set to “Origin” — sends only the origin (scheme + host, e.g., https://example.com) instead of full URLs. Good balance of privacy and compatibility.
• Block third-party referers: Enable or create a rule that strips Referer on third-party requests (requests to different origins), particularly for cross-site trackers and embedded resources.
• HTTPS→HTTP: Set to “No Referer” or “Origin only” when navigating from HTTPS to HTTP to avoid leaking secure page paths.

Site-specific exceptions (compatibility)

• Add allow rules (e.g., “Full” or “No change”) for sites that break without a full referer: payment processors, SSO providers (okta, auth0), some enterprise sites, analytics/tracking you rely on, or sites with strict CSRF checks.
• Use the narrowest scope possible (specific host or path) to avoid overbroad allowances.

Rule examples

• Global default: origin
• .bank.com -> full (if required by bank)
• accounts.example-sso.com -> full
• .cdn.example.com -> no-referrer for cross-origin resource loads

Testing after changes

1. Open DevTools → Network.
2. Reload a page; inspect request headers for Referer on navigation and resource requests.
3. Visit sites that previously failed (login, payments) to confirm functionality.

Troubleshooting

• If login or redirects fail, temporarily set that site to “Full” referer and retry.
• If embedded media fails to load, check whether the resource host requires a referer and add a narrow exception.
• Use incognito with the extension enabled (if allowed) to test minimal settings without other extensions interfering.

Tips

• Start with conservative privacy (Origin), then add exceptions as needed.
• Prefer host-level exceptions over wildcard. Use path-level rules only when necessary.
• Combine with other privacy tools (uBlock Origin, HTTPS-Only mode) for layered protection.

If you want, I can generate a practical rule set for your browsing profile (privacy-first, developer, or enterprise) — tell me which and I’ll provide exact rules you can paste into the extension.