You could make all your links pass through a proxy redirection or link-shortening service (e.g. bit.ly or goo.gl), but that may raise some eyebrows among users.

You could also (again, not advisable) replace your hyperlinks with ones which trigger a server-side postback and programmatically 'construct' the headers before sending the request off.

All a bit overkill though, in my opinion.

Here is a fool proof way to do this. I use this script in an app that sometimes links to 3rd-party websites from pages who's URLs need to be kept private.

<?php
session_start();

/**
  Setp 1. Get the query string variable and set it in a session, then remove it from the URL.
*/
if (isset($_GET['to']) && !isset($_SESSION['to'])) {
    $_SESSION['to'] = urldecode($_GET['to']);
    header('Location: http://yoursite.com/path/to/this-script.php');// Must be THIS script
    exit();
}


/**
  Step 2. The page has now been reloaded, replacing the original referer with  what ever this script is called.
  Make sure the session variable is set and the query string has been removed, then redirect to the intended location.
*/
if (!isset($_GET['to']) && isset($_SESSION['to'])) {
    $output = '<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="none">
<title>Referral Mask</title>
</head>
<body>
<h3>Redirecting...</h3>
<script>window.location.href="'.$_SESSION['to'].'"</script>
<a href="'.$_SESSION['to'].'">Here is your link</a>
</body>
</html>' . "\n";
    unset($_SESSION['to']);
    echo $output;
    exit();
}
?>
<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="none">
<title>Referral Mask</title>
</head>
<body>
<h1>Referral Mask</h1>
<p>This resource is used to change the HTTP Referral header of a link clicked from within our secure pages.</p>
</body>
</html>

This script uses both PHP and JavaScript to reliably remove the original referrer from the headers.

We use a simple script we developed in-house for an internal task system. We don't want referrer information passed either! When I watch other websites we manage, I do not see any referrer information passed with the request when using the script, but without the script I do.

<?php
// anonym.to.php
// Redirect URLs so the referrer information is dropped. Ideally, this script would be 
// invoked by prefixing all external links like this: "/anonym.to.php?URL"

// If a query string is given, then assume it is a website
// and anonymously redirect to it.
        if ($_SERVER['QUERY_STRING'])
        {
                header('Location: '.$_SERVER['QUERY_STRING']);
                exit(0);
        }
?>

In HTML 5 links should support rel="noreferrer" for this purpose.

Work-around, not a solution:

generate all such links through tinyurl.com or similar service.

Take <url> you want to redirect to, and raw-url-encode it. Generate some random string of say 10-15 chars (to ensure it's availability) lest call it <alias>.

Then call http://tinyurl.com/create.php?alias=<alias>&url=<url>

E.g. http://tinyurl.com/create.php?alias=ahdiwabdoubiadasd&url=http%3A%2F%2Fwww.whatismyreferer.com%2F

Now you can verify that http://tinyurl.com/ahdiwabdoubiadasd leads to www.whatismyreferer.com with referrer disguised

Updated code:

This code is a proof of concept only. Navigation away from the parent page is cancelled and the target url is messaged to an iframe. The iframe loads a dara url, which counts as a "null" origin document. When the frame receives the message, it redirects the user to the target url with a "null" referrer. Since the frame has a null origin, it cannot be messaged directly. As a result, another web page could potentially intercept the message via their own anonymous iframe. In production, you should still use rel="noreferrer" on your links, in case your users have disabled javascript, or a javascript error occurs on your page. In the case of old browsers with JS disabled, the referrer could still be exposed. This example may only be loaded after the body of the web page, so any clicks before the page has fully loaded may not be processed by the script.

(function($) {

  var frame = $('<iframe sandbox="allow-scripts allow-top-navigation" src="data:text/html;charset=utf-8,<scr\ipt>window.addEventListener(\'message\', function(event){ if(event.origin == \'' + window.origin + '\') top.window.location = event.data; });</scr\ipt>" style="displayyyy: none !important;">').appendTo('body');

  $('a').click(function(event) {

    frame[0].contentWindow.postMessage( event.target.href, '*' );
    return false;

  });

})(jQuery);

Original post:

Here's my attempt at a fallback solution using a blank iframe. I haven't gotten it to work, but I'm sharing it in case anybody else want to fiddle with it. Technically the frame is cross-origin, so you can't just click a link in the frame. My thought was to use postMessage to make the frame click itself.

https://jsfiddle.net/skibulk/0oebphet/39/

(function($){

  var frame = $('<iframe src="about:blank" style="displayyyy: none !important;">').appendTo('body');

  $('a[rel~=noreferrer]').click(function(event){

    var win = frame[0].contentWindow;
    win.$ = $;

    frame
    .contents()
    .find('body')
    .append(event.target.outerHTML)
    .append( "<scr\ipt> window.addEventListener('message', function(event){ document.append(event.data); $('a').click(); }); </scr\ipt>" );

    win.postMessage('Hi','*');
    return false;

  });

})(jQuery);