I think the Referer header kinda-sorta serves as mitigation for 3rd parties just (maliciously) hot-linking to, say, images on your domain, effectively forcing you to bear the cost of upload bandwidth for those images.

(And similar, it's just that images sprang to mind.)

Browsers have clamped down on that somewhat by enforcing stricter referrer policies by default if the originating server doesn't specify one. It used to be a total free for all where everyone could always see the full referring URL, then it was changed to completely blank the referrer on secure-to-insecure transitions, then it was changed again to also blank the path on cross-origin transitions so only the referring origin is revealed.

It is used for tracking, that's the whole point of the header. "Who's sending me all of this traffic" is a useful, non-invasive thing for websites to have access to. You can use rel="noreferrer" on a link to disable the header on a specific link, as well as the `Referrer-Policy` header and `<meta name="referrer" />` to have some additional control (the 'origin-when-cross-origin' value can be useful in some cases, so destination sites can attribute what origin traffic came from, but not the specific page, while still being able to track it on your own origin - I think this is actually the default behavior in browsers these days).

A useful thing you can do is make your html linter error if a link has target=blank without rel=noreferrer

EG https://html-eslint.org/docs/rules/no-target-blank/

It's a little neat that it works without javascript too.

Yeah, I do something similar with my blog (except via JavaScript). The motivation is similar to Cendyne's.

(Because it's exhausting to have to explain for the 1000th time that I'm not going to make my blog non-furry just because some rando hates furries and thinks being a part of a nerd community is pornographic.)