blog.thms.uk

How (and why) to change Mastodon’s Referrer Policy

For a very long time, Mastodon had a hard-coded HTTP Referrer Policy that instructed browsers not to send any referrer information when clicking external links.

Whilst this provides a lot of privacy for Mastodon users, it also means that publishers are unable to see traffic coming from Mastodon in their analytics, giving them the (hopefully incorrect) impression that Mastodon is not a meaningful source of traffic.

Since December 2024 Mastodon has allowed us to configure the Referrer Policy through a system setting, which allows you as server administrator to instruct Mastodon to pass your server name as Referrer in outgoing links.

Configuring Mastodon’s Referrer Policy

As far as I can see, this code hasn’t yet made it into any official release, so at this time you need to run the latest code from the main branch. You also need to have SSH access to the server. (As far as I can tell, they are planning on adding this to the administration section of the backend, but aren’t quite there yet.)

Firstly you need to SSH into your server, and cd into your mastodon directory.

Then start the Rails console:

RAILS_ENV=production bundle exec rails console

And type in the following command:

Setting.allow_referrer_origin = true

There is no need to restart your services.

If you want to revert this at any time, simply do

Setting.allow_referrer_origin = false

Why you might want to change the Referrer Policy

If you run a reasonably sized Mastodon instance, you may wish to use this new capability, and change the Referrer Policy, so that publishers can identify traffic coming from Mastodon. This may help publishers identify Mastodon as a source of traffic, which in turn might help them consider Mastodon as a platform worth investigating.

It’s worth pointing out that with this setting enabled, Mastodon’s Referrer Policy will be set to Referrer-Policy: origin. This means that Mastodon will only send your server domain with outgoing clicks, and no information about the specific post/page that the click originated from will be sent. As such privacy should be preserved, unless you are running a very small instance.

Why you might not want to change the Referrer Policy

On the other hand, if you are running a very small Mastodon instance, then even just passing the instance domain on outgoing link clicks might be enough for external publishers to identify individual users that have clicked on links, so you may not wish to enable this on a small Mastodon instance for privacy reasons.