what is other option for HTTP_REFERER in php?

Question

Hi all,

I want to know is there any option/work sround for $_SERVER['HTTP_REFERER']. Because 'HTTP_REFERER' can not be trusted. Then What is other way to know that from which url the request has came from?.

Here is the situation - http:// abc.com/one.htmlwill have an iframe having src=http:// xyz.com/giv.php?param=1. How giv.php on xyz.com will know that request is coming from http:// abc.com/one.html?

Answer 1

Sorry, there is no other way. Welcome to the Internet

Answer 2

If you really want trust, then:

• All communication between the servers and the browser needs to be done over HTTPs
• abc.com needs to request a unique identifier token from xyz.com (possibly with the client IP address included in the message, but be aware that some clients cycle IP addresses)
• That token needs to be included in the xyz.com URL of the iframe (e.g. in the query string) so that the server can authenticate it

Even then, the token can be leaked by the user (either intentionally or through malware installed on their system).

Answer 3

This looks like it might be an X-Y problem.

If X is

How can I stop unauthorized websites framing my content and presenting it to their unsuspecting users?

Then the referer is "good enough".

For the referer to be forged, the user has to participate. The unauthorised website can't tell the user's browser to send a false referer.