Looking at this,
https://github.com/expressjs/express/blob/master/lib/request.js#L79

It seems like express checks referrer (with two "r"s) first, then referer next.
Is there a particular reason why the double-r is checked first?

It seems like single-r should be checked first because it's standard.

Another reason to check single-r first is because it's easier to spoof double-r than it is to spoof single-r (with a web browser, anyway). Some browsers block attempts to modify the single-r header. But I don't think any browser blocks attempts to spoof double-r.

If it were me, I'd even go as far as to not check double-r at all. But that would be a breaking change and one can easily do this by just accessing req.headers.referer and not using req.header().

I'm just curious why req.header() was made to behave this way.