About the Referer header, from what I read the header is not sent only
if "an unsecured HTTP request is used and the referring page was
received with a secure protocol (HTTPS)" [1] That should be rare since
the search engines now redirect to HTTPS right away and people would be
entering their search terms in a form submitted over HTTPS.
A spot check of a few browsers shows the Refer header in use for these
at least when using HTTPS:
Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101
Firefox/56.0
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML,
like Gecko) QupZilla/1.8.9 Safari/538.1
Mozilla/5.0 (X11; CrOS x86_64 9765.85.0) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/61.0.3163.123 Safari/537.36
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75
Safari/537.36
Lynx/2.8.9dev.11 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/3.5.6
The Referrer Policy is in the draft stage [2] and might or might not
affect source web sites in the future, but if it does it looks like it
is a very long way from becoming widely deployed, years if ever. So it
is unlikely to be a factor in Q1 2018 or Q2 2018
[2]
https://w3c.github.io/webappsec-referrer-policy/#
referrer-policy-origin
The referrer policy is already in use at Google, which is why we don't see
users' search queries in referer field in our request logs; just that they
came from Google.
- Mikhail