Q1: Has anyone come across statistics or other meaningful evidence that would shed light on which Referer mitigation is most common these days? Examples: Block Referer header Use target URL as the Referer value Use the root of the target URL as the Referer values Q2: Assume someone wants to break Referer *and* they aren't at all concerned about breaking/accessing pages. They will either block or forge in some way. Which could be factored in by fingerprinting routines they encounter. WRT this fingerprinting concern, do you prefer one mitigation over the others?