Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
193 views
in Technique[技术] by (71.8m points)

Can I rely on Referer HTTP header?

Can I rely on Referer HTTP header in my web application? I want to check if the user came from a particular domain/webpage, and if he or she did, then change the layout of my site accordingly.

I know that people can disable Referer in their browsers. Any ideas how often users do that? Can I rely on Referer being present in 99%?

question from:https://stackoverflow.com/questions/8319862/can-i-rely-on-referer-http-header

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

As a general rule, you should not trust the HTTP Referer Header for any matter of importance, except for purely informative statistical analysis of who your visitors are or when looking for patterns of behaviour among the users of your own site.

Under no circumstance it is advisable that you use this header for AAA (Authentication, Authorization and Accounting), unless, as commented above, you consider Accounting the simple traffic analysis of your visitor's behavior.

The Common Weakness Enumeration lists this weakness as CWE-293: Using Referer Field for Authentication:

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Some other and more specific reasons not to trust the Referer Header, include:

  • In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.

  • For privacy reasons, many corporate proxies are configured to remove/strip this header, so even if a Web browser sends this header, a corporate proxy software may remove it.

  • Out in the wild security solutions, malware, browsers embedded into applications... are known to modify and/or cheat on the contents of this header.

Beware that:

  • When "linking" from HTTPS to HTTPS, most standard Web browsers will inform this header even when changing the domain name or network address destination.

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...