saibbyweb
Reputation: 3264
Is HTTP REFERER safe enough?
I have a PHP file which contains some important data of my website. I have set up the below written HTTP REFERER script in that file. For now its only accessible when redirected from a specific page of my website backend (which is password protected). Is it safe to assume that this file cannot be accessed by any other means?
<?php
if ($_SERVER['HTTP_REFERER'] == "http://yoursite.com/IMPORTANT_FILE.php") {
// continue
} else {
header("Location: http://yoursite.com/");
exit(); //Stop running the script
// go to form page again.
}
?>
Upvotes: 0
Views: 480
Answers (1)
John Conde
Reputation: 219934
No. $_SERVER['HTTP_REFERER'] can be spoofed so it cannot be relied upon for safety or accuracy. This chrome extension makes it trivial for a newbie to do.
A better way to do this is authenticate your users before they attempt to access your protected files. Only after passing this authentication can they access them. See this answer for an example.
Upvotes: 6
Related Questions
- How reliable is HTTP_REFERER?
- How much HTTP_REFERER helpfull for Rest api security?
- Securing HTTP referer
- Is validating $_SERVER["HTTP_REFERER"] against a known URL safe?
- Security issues with using HTTP_REFERRER
- Is HTTP_REFERER set by client
- is $_SERVER['HTTP_REFERER'] safe?
- If $_SERVER['HTTP_REFERER'] is unreliable, what will I use instead to ensure web-app integrity?
- Referer in php-
- HTTP Referrer Gotchas?