What are HTTP headers?
An HTTP header is information that is sent with every HTTP request that your web browser makes. More info can be found here. An example of an HTTP header (request header) is shown below:
GET /home.html HTTP/1.1
Host: developer.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://developer.mozilla.org/testpage.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-Modified-Since: Mon, 18 Jul 2016 02:36:04 GMT
If-None-Match: "c561c68d0ba92bbeb8b0fff2a9199f722e3a621a"
Cache-Control: max-age=0
Chameleon options
Enable DNT (Do Not Track)
Enables Do Not Track in the header. This DOES NOT mean that you will not get tracked on the web. By enabling this option you are expressing that you prefer not to be tracked. You will have to trust the server to honor your request. More info can be found here.
Prevent Etag tracking
Etags are used to control how long files are cached by the browser. They can be used to track you online without cookies. More info can be found here.
Spoof Accept-Language
This may change the language of the content returned to the browser. For example, changing Youtube's text from English to Chinese regardless of where the user is located. More info can be found here.
Spoof X-Forwarded-For/Via IP
You can fool several sites that obtain your IP address by setting the X-Forwarded-For/Via header fields. This does not work on most sites and will not make you anonymous online.
Referer options
The referer header field lets a web server know where people are visiting from. For example, when you perform a search for "cake recipes" and click a link to someone's website, the server now knows which search engine was used to get to a page. This provides useful information to website owners who can use the referer for analytics. However, there are some privacy and security concerns that are detailed here.
Disable referer
This clears the referer header. While useful, it can break sites and redirects.
Referer X Origin Policy
Do not modify the about:config setting: network.http.referer.XOriginPolicy.
A request made to a domain different from the web page that the request is coming from is a "cross origin" request.
| Option | Description |
|---|---|
| Always send | Always send the referer for X Origin requests |
| Match base domain | Only send X Origin request if base domain matches
If a request from a web page, news.example.com, is made to test.com, the referer will not be sent because both URLs do not share the same base domain (example.com, test.com). |
| Match host | Only send X Origin request if hostname matches
If a request from a web page, news.example.com, is made to news.example.com, the referer will be sent because both URLs share the same base hostname (news.example.com). |
Referer Trimming Policy
Do not modify the about:config setting: network.http.referer.trimmingPolicy.
| Option | Description |
|---|---|
| Send full URI | Sends the full referer |
| Scheme, host, port, path | Sends the scheme, host, port and path of the URL; strips query strings.
Before: https://example.com:8080/page?privacy=false&trackingid=XYZ After: https://example.com:8080/page |
| Scheme, host, port | Sends the scheme, host, and port of the URL.
Before: https://example.com:8080/page?privacy=false&trackingid=XYZ After: https://example.com:8080/ |