diff --git a/src/web/auth.js b/src/web/auth.js
index b71c4887..1132d6b0 100644
--- a/src/web/auth.js
+++ b/src/web/auth.js
@@ -20,6 +20,11 @@ const LOGGER = require('@calzoneman/jsli')('web/auth');
 
 function getSafeReferrer(req) {
     const referrer = req.header('referer');
+
+    if (!referrer) {
+        return null;
+    }
+
     const { hostname } = url.parse(referrer);
 
     // TODO: come back to this when refactoring http alt domains