- entered the site URL in browser address bar itself.
- visited the site by a browser-maintained bookmark.
- visited the site as first page in the window/tab.
- switched from a https URL to a http URL.
- switched from a https URL to a different https URL. (only if it is blocked by referrer metatag on website)
- has security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
- is behind a proxy which strips the referrer from all requests.
- visited the site programmatically (like, curl) without setting the referrer header (searchbots!).
source: https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty