Arefback is one of four types oflinkbacks, methods forWeb authors to request notification when somebodylinks to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles.
A Refback is simply the usage of theHTTP referrer header to discover incoming links. Whenever a browser traverses an incoming link from Site A (originator) to Site B (receptor) the browser will send a referrer value indicating theURL from where the user came. Site B might publish a link to Site A after visiting Site A and extracting relevant information from Site A such as the title,meta information, the link text, and so on.[1]
Refback only requires Site B to be Refback enabled in order to establish this communication. Refback requires Site A to physically link to Site B. Refback also requiresbrowsers to traverse the links.
As of March 2021, this will only work if the originator site explicitly sets the referrer policy tono-referrer-when-downgrade orunsafe-url either on the whole page using HTTP headers or HTML meta tags or on each individual link pointing to the receptor site.[2] Otherwise, the most popular browsers default to sending only the origin in cross-origin requests, stripping out everything but the domain name in theHTTP Referrer header,[3][4][5] preventing the refback method from working.
If the referred-to site does not validate the referring site URL, it may be subject toreferrer spam (due to forged referrer headers) and may end up with links to dynamic web content and private web sites, such asweb-based e-mail. Validating the referrer was considered to be a potentialdenial-of-service attack vector, but is such a trivial attack that modern web server software has been hardened against this kind of attack.[6]
