Web security -- HTTP-Location = HTTP-Referrer if outside domain? Why?

views:

answers:

+2 Q:

Web security -- HTTP-Location = HTTP-Referrer if outside domain? Why?

What is the point of doing this?

I want a reason why it's a good idea to send a person back to where they came from if the referrer is outside of the domain. I want to know why a handful of websites out there insist that this is good practice. It's easily exploitable, easily bypassed by anyone who's logging in with malicious intent, and just glares in my face as a useless "security" measure. I don't like to have my biased opinions on things without other input, so explain this one to me.

The request headers are only as trustworthy as your client, why would you use them as a means of validation?

+1 A:

There are three reasons why someone might want to do this. Checking the referer is a method of CSRF Prevention. A site may not want people to link to sensitive content and thus use this to bounce the browser back. It may also be to prevent spiders from accessing content that the publisher wishes to restrict.

I agree it is easy to bypass this referer restriction on your own browser using something like TamperData. It should also be noted that the browser's http request will not contain a referer if your coming from an https:// page going to an http:// page.

Rook 2010-08-10 16:05:44

I wish I could give you more +1's for that edit of yours about https, that will basically solve a lot of problems for me on the project that lead me to this ;).

2010-08-10 16:46:24

@user257493 Sweet. Thanks, I'm happy to help. SO Rocks like that.

Rook 2010-08-10 17:12:28

ansaurus

tags:

views:

answers:

Web security -- HTTP-Location = HTTP-Referrer if outside domain? Why?

related questions