the referal header is in reference to your browser header (the metadata your browser is sending to the site), not your website header.
What is referral Spam?
Referral Spam is sending multiple requests to a website spoofing the header to make it look like you are sending real traffic to another site. This way, when someone checks their log, they will see 100 or 5,000 or however-many “referrals” from another site that actually sent them no real traffic. Often, you don’t even have a link to the target site from on page of the sending URL you are referral spamming from. By refferral spamming, you will get the clicks from the curious refferral log browsers as well as traffic from the toplists you dominate.
So that said, where are you referring from? Are you clicking a dragonflycms.org link from your site or just typing in the URL? Maybe it's just a matter of the link being on "localhost" and not having a real "trackback"
All that said, I don't think you're doing anything "wrong", so:
Welcome to the wonderful world of Dragonfly, how may we help you?
It is possible you are on a PC that has a domain that has been identified as a source of referral spam.
If I use the same PC to log on directly to this dragonfly site I don't have any problems. The problem only manifests, when I push the panic button on my virtual site.
I just checked the main admin/web site configuration and;
site name = irvinescotland.co.uk
site domain = localhost
site path = /dragonfly/
The quality of my connection may be relevant:
A local business man is hosting my site for free and has connected my winter squat to his internal telephone network. So my connection is through a modem to an internal telephone network onto his business computer network and out to the real world.
CONFIRMED. You cannot hit the Help link from admin while accessing your site from localhost
fyi - My "site domain" is not set for localhost - I have a DNS redirect to it's real domain name normally, but accessing the site from the server via localhost and attempting to access dragonflycms.org activates this security feature.