Menu
I need to check and record the referrer of visitors to my web application. How reliable is using HTTP_REFERER? And are there other alternatives?
904
Yes, the HTTP referer header can be spoofed. A common way to play with HTTP headers is to use a tool like cURL: Sending headers using cURL: How to send a header using a HTTP request through a curl call?
always: always send the header, even from HTTPS to HTTP.
To help mitigate CSRF attacks, you can configure WebSEAL to validate the referer header in incoming HTTP requests. WebSEAL compares this referer header with a list of configured allowed-referers to determine whether the request is valid. Referrer validation affects the following WebSEAL management pages: /pkmslogout.
$_SERVER['HTTP_REFERER'] Returns the complete URL of the current page (not reliable because not all user-agents support it) $_SERVER['HTTPS'] Is the script queried through a secure HTTP protocol.
Using HTTP_REFERER isn't reliable, its value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted because it can be manipulated.
Regarding the Referer header, section 15.1.2 of RFC2616 states:
Therefore, applications SHOULD supply as much control over this information as possible to the provider of that information.
and
We suggest, though do not require, that a convenient toggle interface be provided for the user to enable or disable the sending of From and Referer information.
Many online privacy tools mangle this value and many browsers such as FireFox have for a long time permitted users to prevent this header being sent. So in a nutshell, I wouldn't rely on it for any serious purpose. For example, securing forms so that drive-by spammers can't post values, because the Referer can be spoofed.
For further reading see:
Using referer field for authentication or authorization (WayBackMachine)
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
