I heard that HTTP_REFERER can be spoofed. I have 2 sites, the first one contacts the second, and the second uses HTTP_REFERER to verify that the request is from the first one.
If I receive a fake request from my first site to the second site and I know that this request was not made, what should I think? a third website is spoofing http_ref for all its users, or an individual is spoofing it from his browser settings? I want to know if http_re开发者_运维百科f is set/spoofed by the client/browser or by the website itself?
It is information sent by the client. It's usually set as the page from which you clicked the link on.
It also can absolutely can be spoofed. You can do it yourself by setting the HEADER in a PHP cURL request.
curl_setopt( $ch, CURLOPT_HTTPHEADER, array(
'Host: www.google.com',
'Referer: http://google.com/',
'FaKeHEADER: ThisIsFakeButItWillBeSentAnyways'));
The receiving server will see those in the header, even though it was never sent from google.com. You can also spoof everything else you would see in the Header (user agents, cookies, etc).
You're gonna have a difficult time detecting spoofed headers unless you know exactly what each one should look like from each source. Best thing you can do is work with IPs and limit the Header types you accept (for example, if a page can only use GET requests, reject all POST requests). Even then if someone wants to spoof you, chances are they will and you won't know it.
If you are trying to secure a connection between 2 sites of your's, you should be limiting the connection with more than just a Header, that's not secure at all.
Edit: You can even send really fake headers. I updated the example to show what I mean. Some sites use custom(like the fake one) headers to pass authentication around.
It can be very easily spoofed by the client. However, most people would not bother. In 99% of cases, you should think it's the correct value, unless you have some valid reason not to believe so (like if you suspect a bot).
精彩评论