Skip to content

Research: no-referrer traffic sources (2026-06-14)

Date: 2026-06-14 · Our-data analysis complete. The online-corroboration pass is still open — no web sources are captured yet.

No-referrer ≠ real users. Decomposing the no-referrer cohort on the thumbnail image path, the volume is dominated by datacenter renderers spoofing browser UAs (~4.5M/mo from two fixed IPs, DC1 and DC2) and generic SDK/library default UAs (~3.6M/mo). Real browsers with a stripped referrer are a minority (~1.3M/mo). A single CDN-internal IPv6 (CFINT, the CDN’s own tiered-cache fabric) shows 153M/mo and is excluded as infra noise.

This de-risks defaulting no-referrer requests to the clean (unwatermarked) variant — most no-referrer requests are bots/servers/proxies that never render a buy page, so serving them clean costs ~no conversion. It also confirms dev/local traffic is separately identifiable: it mostly arrives with a localhost referrer, so a referrer-host dev rule is high-precision.

The operational guidance that consumes this memo lives in the no-referrer-traffic runbook; the flip design it feeds is an internal repo doc — not published.

Parsed a 7-day cohort-candidate pull (2026-05-05→05-12, thumbnail .jpg path, referrer = empty string; monthly = window × 4.286). Cross-referenced the noReferrerUserAgentsOverThreshold, xRequestedWithOverThreshold, noReferrerIpsOverThreshold, and noReferrerIpUserAgentPairsOverThreshold query sets. For the entity decode behind DC1/DC2/CFINT, see the internal decoder (not published).

Ranked by estimated monthly requests, with an eyeball classification:

#Source bucket~req/moEyeballs?Evidence in our data
1Datacenter / server-side renderer spoofing a browser UA~4.5MNoFirefox/150.0 (Win) = 4.52M, of which DC1 (2.68M) + DC2 (1.82M) — two fixed datacenter IPs, same UA
2Generic SDK / HTTP-library default UA~3.6MNobare Mozilla/5.0 3.32M, node 0.07M, okhttp/4.9.2 0.07M, Dart/3.9–3.11 (dart:io) ~0.19M
3Real browsers, referrer stripped~1.3MYesiPhone Safari 0.60M, Mac Safari 0.35M, Win Chrome 147 0.26M, Android Chrome 0.05M
4Native mobile apps (iOS/Android)~0.5MpartialiOS CFNetwork/Darwin UAs: a branded installer app 0.19M, a basketball training app 0.16M; Android via okhttp
5Search / social crawlers~0.4MNoGooglebot-Image 0.14M, facebookexternalhit 0.11M, meta-externalads 0.08M, bingbot 0.06M
6Email / document image proxies~0.17Mindirect...GoogleImageProxy (Gmail) 0.09M, ms-office; MSOffice 16 (Outlook/Office) 0.08M
7Monitoring / uptime bots~0.13MNoLogicMonitor SiteMonitor/1.0 0.07M, another self-identifying monitoring bot 0.06M
CDN-internal tiered-cache (CFINT) — excluded153Mn/asingle CDN-range IPv6, flagged likelyInternalOrInfra; the cache talking to itself, not traffic
  • Is it mostly servers? Yes — buckets 1, 2, 5, 7 (servers/libraries/bots) are the clear majority of legitimate no-referrer volume; real browsers are ~1.3M of ~11M over-threshold (after excluding CFINT).
  • Is it clearly not an iPhone? Mostly not an iPhone — the largest chunks are Windows/datacenter UAs and bare library UAs. Genuine iPhone Safari no-referrer exists (~0.6M) but is a minority.
  • Do apps mostly send referrers? Yes — Android in-app webviews are NOT the no-referrer problem. X-Requested-With apps (facebook 1.75M, instagram 0.68M, etc.) mostly do send a referrer — their no-referrer subset is ~0. The lone exception is an education platform app (0.08M, 100% no-referrer), a native app that strips it.

Conclusion: detect dev by referrer host, not UA

Section titled “Conclusion: detect dev by referrer host, not UA”

Dev/local traffic is referrer-bearing, not no-referrer. Local dev mostly arrives with a localhost (~220k/mo) or 127.0.0.1 (~69k/mo) referrer — seen in the referrer-host candidates, not the no-referrer set. A referrer-host rule therefore catches dev precisely without touching the no-referrer bucket, while UA-based dev detection collides head-on with bucket 2 (server/library default UAs).

Current direction:

  • Treat no-referrer as safe to serve clean by default for conversion purposes (the eyeball minority is small; the bulk is non-buyers/bots).
  • Detect dev/local via referrer host, not user-agent.

Where no-referrer is handled today: apps/snippet/watermark-router.snippet.js (shouldWatermarkRequest returns false on missing Referer). Paying-customer identifiers live in apps/thumbnail/lib/customers.json and are referenced, not copied.