Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

In what cases will HTTP_REFERER be empty

Tags:

http-headers

security

cross-domain

http-referer

referrer-policy

I know it's possible to get an empty HTTP_REFERER. Under what circumstances does this happen? If I get an empty one, does it always mean that the user changed it? Is getting an empty one the same as getting a null one? and under what circumstances do I get that too?

like image 323
sameold Avatar asked Jul 30 '11 02:07

sameold

People also ask

Why is HTTP referer empty?

There might be several reasons why the referer URL would be blank. It will/may be empty when the enduser: entered the site URL in browser address bar itself. visited the site by a browser-maintained bookmark.

Can HTTP_REFERER be spoofed?

Referer spoofing is typically done for data privacy reasons, in testing, or in order to request information (without genuine authority) which some web servers may only supply in response to requests with specific HTTP referers.

How does Referer header work?

The Referer header allows a server to identify a page where people are visiting it from. This data can be used for analytics, logging, optimized caching, and more. When you follow a link, the Referer contains the address of the page that owns the link.

Is Referer header reliable?

Using HTTP_REFERER isn't reliable, its value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted because it can be manipulated. Regarding the Referer header, section 15.1.

1 Answers

It will/may be empty when the enduser

  • entered the site URL in browser address bar itself.
  • visited the site by a browser-maintained bookmark.
  • visited the site as first page in the window/tab.
  • clicked a link in an external application.
  • switched from a https URL to a http URL.
  • switched from a https URL to a different https URL.
  • has security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
  • is behind a proxy which strips the referrer from all requests.
  • visited the site programmatically (like, curl) without setting the referrer header (searchbots!).
like image 177
BalusC Avatar answered Sep 28 '22 10:09

BalusC
Sign in to Comment

Related questions

What does it mean when they say React is XSS protected?
Spring Test & Security: How to mock authentication?
How do I prevent Android taking a screenshot when my app goes to the background?
Is JSON Hijacking still an issue in modern browsers?
How to allow http content within an iframe on a https site [duplicate]
Exposing database IDs - security risk?
Unit testing with Spring Security
What is the App_Data folder used for in Visual Studio?
.NET obfuscation tools/strategy [closed]
Obscure a UITextField password
Best way for a 'forgot password' implementation? [closed]
Cross Domain Form POSTing
Best Practices: Salting & peppering passwords?
How can I store my users' passwords safely?
Has reCaptcha been cracked / hacked / OCR'd / defeated / broken? [closed]
Two-way encryption: I need to store passwords that can be retrieved
Convert .pfx to .cer
How to convert SecureString to System.String?
How to deal with a slow SecureRandom generator?
Can local storage ever be considered secure? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!