How reliable is HTTP_REFERER?
Asked Answered
D

1

44

I need to check and record the referrer of visitors to my web application. How reliable is using HTTP_REFERER? And are there other alternatives?

Deluge answered 16/5, 2011 at 22:0 Comment(0)
H
53

Using HTTP_REFERER isn't reliable, its value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted because it can be manipulated.

Regarding the Referer header, section 15.1.2 of RFC2616 states:

Therefore, applications SHOULD supply as much control over this information as possible to the provider of that information.

and

We suggest, though do not require, that a convenient toggle interface be provided for the user to enable or disable the sending of From and Referer information.

Many online privacy tools mangle this value and many browsers such as FireFox have for a long time permitted users to prevent this header being sent. So in a nutshell, I wouldn't rely on it for any serious purpose. For example, securing forms so that drive-by spammers can't post values, because the Referer can be spoofed.

For further reading see:

Using referer field for authentication or authorization (WayBackMachine)

Hydrofoil answered 16/5, 2011 at 22:5 Comment(3)
Agree referer is not reliable and it's not secure, but trust me it does its job pretty well in reducing spam.Cordwood
The last link is dead.Symploce
@danrah - fixed. But if you find dead links, then have a look and see if they're on WayBackMachine (archive.org) and then just update the post with the most recent available archive copy of the page.Hydrofoil

© 2022 - 2024 — McMap. All rights reserved.