Login/Register
Can I rely on Referer HTTP header?
Asked Answered
http-headershttp-referer
S

2

38

Can I rely on Referer HTTP header in my web application? I want to check if the user came from a particular domain/webpage, and if he or she did, then change the layout of my site accordingly.

I know that people can disable Referer in their browsers. Any ideas how often users do that? Can I rely on Referer being present in 99%?

Simile answered 30/11, 2011 at 0:57 Comment(8)
I am basing this purely off speculation and hunch, but I imagine the overwhelming majority of users on the internet do not modify ANY settings to their browser, let alone Referer. I suppose it would be based upon your target audience ie. senior citizens vs. hackers. for the two extremes of likelihood.Indiscretion
possible duplicate of how reliable is HTTP_REFERERFlorina
Your question is nicely answered here: #6024441Anuska
@Anuska its not really relevant hereLeonardoleoncavallo
@stefan: I beg your pardon? What's not relevant?Anuska
@Anuska the question is about how likely it is to be set. not wether its bullet proof.Leonardoleoncavallo
@stefan: Ah, in that sense. Well, I suppose it's indeed slightly irrelevant, but those statistics even if available anywhere are very far-fetched.Anuska
@Anuska why are they far fetched? i think you should summarize an answer as this is turning into a chat.Leonardoleoncavallo
I
37

As a general rule, you should not trust the HTTP Referer Header for any matter of importance, except for purely informative statistical analysis of who your visitors are or when looking for patterns of behaviour among the users of your own site.

Under no circumstance it is advisable that you use this header for AAA (Authentication, Authorization and Accounting), unless, as commented above, you consider Accounting the simple traffic analysis of your visitor's behavior.

The Common Weakness Enumeration lists this weakness as CWE-293: Using Referer Field for Authentication:

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Some other and more specific reasons not to trust the Referer Header, include:

  • In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.

  • For privacy reasons, many corporate proxies are configured to remove/strip this header, so even if a Web browser sends this header, a corporate proxy software may remove it.

  • Out in the wild security solutions, malware, browsers embedded into applications... are known to modify and/or cheat on the contents of this header.

Beware that:

  • When "linking" from HTTPS to HTTPS, most standard Web browsers will inform this header even when changing the domain name or network address destination.
Icecap answered 20/6, 2013 at 17:22 Comment(2)
Do you have a source for "Even when 'linking' from HTTPS to HTTPS, most standard Web browsers will not inform this header when changing the domain name or network address destination." ? I'd like to learn more about that.Dermatogen
@Dermatogen Thanks for pointing out! The paragraph was in fact mis-typed in the oposite sense I intended to. I have now updated it. Anyhow, this is a tricky topic and my answer reflects old (some years ago) research into it. Some interesting links for your own investigation: smerity.com/articles/2013/… and isc.sans.edu/forums/diary/…Icecap
B
2

As long as you have a reasonable default behavior when there isn't a usable value, and you're not doing anything sensitive based on it, it's probably okay.

A malicious user could set that header to anything they want. I expect most users don't modify the default behavior of their browsers, so it's probably there and accurate most of the time.

There are probably also some cases where switching between HTTPS and HTTP will cause a referer header not to be sent.

Bred answered 30/11, 2011 at 1:7 Comment(1)
Youre basically restating the question itself here.Leonardoleoncavallo

© 2022 - 2024 — McMap. All rights reserved.