Security · Privacy

How to Create Password-Protected Short Links That Strip Referrer Data

Published April 2026 · 7 min read · By the TraceNull Team

Most URL shorteners offer either password protection or referrer stripping — not both. TraceNull Business combines them: every click on a password-protected link passes through a passphrase gate and exits with a blank Referer header. This article explains how it works, when to use it, and how to set it up.

How a Password-Protected TraceNull Link Works

The flow when someone clicks your link:

1. Visitor clicks your short URL (e.g. tracenull.cc/ab3x)
2. TraceNull checks the slug → finds password flag → serves a minimal unlock page
3. Visitor enters the passphrase
4. Server validates → sets a one-time session token → redirects
5. During the redirect, three referrer-stripping layers fire:
   a. Node.js sets  Referrer-Policy: no-referrer  on the response
   b. Caddy adds its own  Referrer-Policy  header at the reverse-proxy level
   c. An intermediate HTML page includes  <meta name="referrer" content="no-referrer">
6. Destination receives the visitor with a blank Referer header

The passphrase is hashed with bcrypt before it touches the SQLite database. TraceNull never stores it in plaintext, never logs it in request bodies, and never sends it to any third-party service.

Why three layers? Because no single mechanism is bulletproof across every browser and proxy configuration. The Node.js header covers the majority of modern browsers. The Caddy header catches edge cases where the app header might be stripped by middleware. The meta-tag fallback handles the rare scenario where both headers are lost — for example, behind certain corporate forward proxies. This defense-in-depth approach is what makes TraceNull's referrer stripping reliable in production.

Step-by-Step: Creating a Password-Protected Link

Option A — The Dashboard

Log in to your TraceNull Business account at tracenull.cc.
Paste your destination URL into the shortener input.
Click the shield icon (🔒) next to the slug field.
Enter a passphrase. Use something strong but shareable — a short phrase or a generated token like launch-day-Q3.
Optionally set an expiry (up to 365 days on Business) and add UTM parameters with the built-in UTM builder.
Click Shorten. You'll get your short URL plus a QR code you can embed in presentations or PDFs.

Option B — The API

If you're generating links programmatically — say, from a CI/CD pipeline that deploys preview environments — use the TraceNull API:

curl -X POST https://tracenull.cc/api/shorten \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://staging.example.com/preview/8834",
    "password": "review-2026-q2",
    "ttl": 7
  }'

The API returns the short URL and a passwordProtected: true flag. The ttl field is in days — set it to 7 for a one-week review link that self-destructs.

Tip: Pair password-protected links with short TTLs for maximum security. A link that expires in 48 hours and requires a passphrase is extremely difficult to exploit, even if the slug is discovered.

Real-World Use Cases

1. Affiliate Marketers Sharing Offer Links Internally

You manage a team of media buyers. Each buyer needs access to the current offer URL, but you don't want the URL floating around in public Telegram groups. Create a password-protected TraceNull link, share the passphrase in a secure channel, and rotate both weekly. Because the referrer is stripped, the affiliate network never sees your internal tooling domain.

2. Publishers Distributing Pre-Launch Content

You're sending an embargoed article link to 30 journalists. A password-protected short link ensures only recipients with the passphrase can read the page. If one of them accidentally tweets the short URL, it's useless without the code — and the article's CMS never sees the referrer of your email platform.

3. B2B Teams Sharing Client Dashboards

Your analytics dashboard has a sharable URL with a long query string full of client IDs. Shortening it is convenient; password-protecting it is essential. Your client enters the passphrase once, lands on the dashboard, and the dashboard's own analytics sees a direct visit — no leaked shortener domain, no leaked internal path.

4. QR Codes on Physical Media

Print a QR code on a conference handout. The QR resolves to a TraceNull password-protected link. Attendees scan, enter the event code displayed on the keynote slide, and reach your downloadable asset. Anyone who finds the handout later can't access the file without the code.

Security Considerations

Password-protected links are not a replacement for proper access control on the destination server. They are a transport-layer gate — an additional barrier between the public internet and your content. Best practices:

Use unique passphrases per link. Don't reuse the same passphrase across dozens of links. If one leaks, only one link is compromised.
Rotate aggressively. On TraceNull Business, you can update the passphrase of a live link via the API without changing the slug. Do this weekly for long-lived links.
Combine with TTL. A 365-day link with a weak passphrase is worse than a 7-day link with a strong one. Match the TTL to the actual need.
Don't embed the passphrase in the same message as the link. Send the link in one channel (email) and the passphrase in another (Slack DM, Signal). This mirrors the principle of split-knowledge authentication.

How This Compares to Other Shorteners

Most mainstream URL shorteners — Bitly, TinyURL, Rebrandly — either don't offer password protection at all, or offer it only on enterprise tiers without referrer stripping. With those services, even if the link is gated, the redirect still sends a Referer header to the destination. That header can reveal the shortener domain, the slug, and sometimes the full embed context.

TraceNull is purpose-built for privacy. Password protection and referrer stripping are not bolted-on afterthoughts; they're the core architecture. The three-layer stripping mechanism works on every link, including password-protected ones, with zero configuration.

Ready to Lock Down Your Links?

Password-protected, referrer-stripped short links with QR codes, analytics, and API access — all on TraceNull Business.

View Business Plan →

Wrapping Up

Sharing a URL shouldn't mean surrendering control over who can access it or what metadata leaks when they do. Password-protected links add an authentication layer; referrer stripping removes the data trail. TraceNull delivers both — backed by bcrypt hashing, three independent stripping mechanisms, and a strict no-IP-logging policy.

If you're sharing anything more sensitive than a cat meme, you owe it to yourself and your recipients to gate it properly. Create your first password-protected link at tracenull.cc — it takes about ten seconds.