Menu
Can I rely on Referer HTTP header in my web application? I want to check if the user came from a particular domain/webpage, and if he or she did, then change the layout of my site accordingly.
I know that people can disable Referer in their browsers. Any ideas how often users do that? Can I rely on Referer being present in 99%?
641
Using HTTP_REFERER isn't reliable, its value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted because it can be manipulated.
Yes, the HTTP referer header can be spoofed. A common way to play with HTTP headers is to use a tool like cURL: Sending headers using cURL: How to send a header using a HTTP request through a curl call?
You cannot set Referer header manually but you can use location. href to set the referer header to the link used in href but it will cause reloading of the page.
always: always send the header, even from HTTPS to HTTP.
The Referer HTTP Header request header contains the absolute or partial address of the page from which the request is made. The Referer HTTP Header tells a server where people are coming from when they visit a page. This information can be used for analytics, logging, optimized caching, and other purposes.
The request's referrer policy defines the data that can be included. See Referrer-Policy for more information and examples. Note: The header name "referer" is actually a misspelling of the word "referrer". See HTTP referer on Wikipedia for more details. Warning: This header may has undesirable consequences for user security and privacy.
Cutting and pasting a web address into a browser’s URL bar, or typing it out manually, will also prevent any Referer Headers being sent to the visited website. for more information take a look at our best VPN list.
Some other and more specific reasons not to trust the Referer Header, include: In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.
As a general rule, you should not trust the HTTP Referer Header for any matter of importance, except for purely informative statistical analysis of who your visitors are or when looking for patterns of behaviour among the users of your own site.
Under no circumstance it is advisable that you use this header for AAA (Authentication, Authorization and Accounting), unless, as commented above, you consider Accounting the simple traffic analysis of your visitor's behavior.
The Common Weakness Enumeration lists this weakness as CWE-293: Using Referer Field for Authentication:
The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
Some other and more specific reasons not to trust the Referer Header, include:
In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.
For privacy reasons, many corporate proxies are configured to remove/strip this header, so even if a Web browser sends this header, a corporate proxy software may remove it.
Out in the wild security solutions, malware, browsers embedded into applications... are known to modify and/or cheat on the contents of this header.
Beware that:
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
