Research: no-referrer traffic sources (2026-06-14)
Date: 2026-06-14 · Our-data analysis complete. The online-corroboration pass is still open — no web sources are captured yet.
Summary
Section titled “Summary”No-referrer ≠ real users. Decomposing the no-referrer cohort on the thumbnail
image path, the volume is dominated by datacenter renderers spoofing browser UAs
(~4.5M/mo from two fixed IPs, DC1 and DC2) and generic SDK/library default
UAs (~3.6M/mo). Real browsers with a stripped referrer are a minority
(~1.3M/mo). A single CDN-internal IPv6 (CFINT, the CDN’s own tiered-cache
fabric) shows 153M/mo and is excluded as infra noise.
This de-risks defaulting no-referrer requests to the clean (unwatermarked)
variant — most no-referrer requests are bots/servers/proxies that never render a
buy page, so serving them clean costs ~no conversion. It also confirms dev/local
traffic is separately identifiable: it mostly arrives with a localhost
referrer, so a referrer-host dev rule is high-precision.
The operational guidance that consumes this memo lives in the no-referrer-traffic runbook; the flip design it feeds is an internal repo doc — not published.
Method
Section titled “Method”Parsed a 7-day cohort-candidate pull (2026-05-05→05-12, thumbnail .jpg path,
referrer = empty string; monthly = window × 4.286). Cross-referenced the
noReferrerUserAgentsOverThreshold, xRequestedWithOverThreshold,
noReferrerIpsOverThreshold, and noReferrerIpUserAgentPairsOverThreshold
query sets. For the entity decode behind DC1/DC2/CFINT, see the internal
decoder (not published).
Ranked source taxonomy
Section titled “Ranked source taxonomy”Ranked by estimated monthly requests, with an eyeball classification:
| # | Source bucket | ~req/mo | Eyeballs? | Evidence in our data |
|---|---|---|---|---|
| 1 | Datacenter / server-side renderer spoofing a browser UA | ~4.5M | No | Firefox/150.0 (Win) = 4.52M, of which DC1 (2.68M) + DC2 (1.82M) — two fixed datacenter IPs, same UA |
| 2 | Generic SDK / HTTP-library default UA | ~3.6M | No | bare Mozilla/5.0 3.32M, node 0.07M, okhttp/4.9.2 0.07M, Dart/3.9–3.11 (dart:io) ~0.19M |
| 3 | Real browsers, referrer stripped | ~1.3M | Yes | iPhone Safari 0.60M, Mac Safari 0.35M, Win Chrome 147 0.26M, Android Chrome 0.05M |
| 4 | Native mobile apps (iOS/Android) | ~0.5M | partial | iOS CFNetwork/Darwin UAs: a branded installer app 0.19M, a basketball training app 0.16M; Android via okhttp |
| 5 | Search / social crawlers | ~0.4M | No | Googlebot-Image 0.14M, facebookexternalhit 0.11M, meta-externalads 0.08M, bingbot 0.06M |
| 6 | Email / document image proxies | ~0.17M | indirect | ...GoogleImageProxy (Gmail) 0.09M, ms-office; MSOffice 16 (Outlook/Office) 0.08M |
| 7 | Monitoring / uptime bots | ~0.13M | No | LogicMonitor SiteMonitor/1.0 0.07M, another self-identifying monitoring bot 0.06M |
| — | CDN-internal tiered-cache (CFINT) — excluded | 153M | n/a | single CDN-range IPv6, flagged likelyInternalOrInfra; the cache talking to itself, not traffic |
The three questions, answered
Section titled “The three questions, answered”- Is it mostly servers? Yes — buckets 1, 2, 5, 7 (servers/libraries/bots)
are the clear majority of legitimate no-referrer volume; real browsers are
~1.3M of ~11M over-threshold (after excluding
CFINT). - Is it clearly not an iPhone? Mostly not an iPhone — the largest chunks are Windows/datacenter UAs and bare library UAs. Genuine iPhone Safari no-referrer exists (~0.6M) but is a minority.
- Do apps mostly send referrers? Yes — Android in-app webviews are NOT the
no-referrer problem.
X-Requested-Withapps (facebook 1.75M, instagram 0.68M, etc.) mostly do send a referrer — their no-referrer subset is ~0. The lone exception is an education platform app (0.08M, 100% no-referrer), a native app that strips it.
Conclusion: detect dev by referrer host, not UA
Section titled “Conclusion: detect dev by referrer host, not UA”Dev/local traffic is referrer-bearing, not no-referrer. Local dev mostly
arrives with a localhost (~220k/mo) or 127.0.0.1 (~69k/mo) referrer —
seen in the referrer-host candidates, not the no-referrer set. A referrer-host
rule therefore catches dev precisely without touching the no-referrer bucket,
while UA-based dev detection collides head-on with bucket 2 (server/library
default UAs).
Current direction:
- Treat no-referrer as safe to serve clean by default for conversion purposes (the eyeball minority is small; the bulk is non-buyers/bots).
- Detect dev/local via referrer host, not user-agent.
Where no-referrer is handled today: apps/snippet/watermark-router.snippet.js
(shouldWatermarkRequest returns false on missing Referer). Paying-customer
identifiers live in apps/thumbnail/lib/customers.json and are referenced, not
copied.
Related
Section titled “Related”- No-referrer traffic — the runbook that operationalizes this taxonomy
- Watermark delivery flip & leverage ranking (2026-06-14) — the host ranking this informs
- Source data and the flip design plan are internal repo docs — not published