The fact of the matter is these referral links are sent to you by the user agent. As the name implies, that program is entirely under the control of the user. Just because the browser makes HTTP requests automatically when loading pages doesn't mean someone can't craft a custom HTTP request with completely made up metadata and send it to your servers.
It's not really any different from random people sending you random links over a messaging service. Would you click on any "interesting" links sent to you by people you don't know, much less trust? It's the same thing. Offensive websites might have shock value but they're actually quite harmless after you close the tab. What if it's a malware site that exploits some 0day in your browser?
It's not really any different from random people sending you random links over a messaging service. Would you click on any "interesting" links sent to you by people you don't know, much less trust? It's the same thing. Offensive websites might have shock value but they're actually quite harmless after you close the tab. What if it's a malware site that exploits some 0day in your browser?