6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"Can referer header be trusted when using https?\",\"text\":\"

I understand that the referer header is trivial to spoof when using standard http. But when using https can you trust the referer or is that potentially faked as well?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"SlyMcFly\"},\"upvoteCount\":4,\"answerCount\":1,\"acceptedAnswer\":null}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","https",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/https/1","children":"https"}]}],["$","span","header",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/header/1","children":"header"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/934ffcaa9eda8067076a33835ce9106f?s=256&d=identicon&r=PG","alt":"SlyMcFly","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/733753/slymcfly","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"SlyMcFly"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",245]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"Can referer header be trusted when using https?"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

I understand that the referer header is trivial to spoof when using standard http. But when using https can you trust the referer or is that potentially faked as well?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",4]}],["$","p",null,{"children":["Views: ",353]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","6432807",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"$undefined","alt":"user149341","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"$undefined","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"user149341"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ","$undefined"]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

No. Using HTTPS changes nothing; the referer can still trivially be spoofed; for example:

\n\n

wget --referer=http://whitehouse.gov/ https://example.com/\n

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",6]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","6880659",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/6880659","className":"text-blue-600 hover:underline","children":"In what cases will HTTP_REFERER be empty"}]}],["$","li","8319862",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/8319862","className":"text-blue-600 hover:underline","children":"Can I rely on Referer HTTP header?"}]}],["$","li","1361705",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1361705","className":"text-blue-600 hover:underline","children":"Is HTTP header Referer sent when going to a http page from a https page?"}]}],["$","li","7620328",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/7620328","className":"text-blue-600 hover:underline","children":"Is there referrer header while using SSL?"}]}],["$","li","23955679",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/23955679","className":"text-blue-600 hover:underline","children":"Is HTTP REFERER safe enough?"}]}],["$","li","15971264",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/15971264","className":"text-blue-600 hover:underline","children":"How can I get the correct referer via JavaScript if the referrer uses https?"}]}],["$","li","14237900",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/14237900","className":"text-blue-600 hover:underline","children":"Is request header "referer" always sent when from one page to other when both the pages are in HTTPS protocol"}]}],["$","li","5453776",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/5453776","className":"text-blue-600 hover:underline","children":"Is HTTP_REFERER set by client"}]}],["$","li","6501490",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/6501490","className":"text-blue-600 hover:underline","children":"adding HTTP_REFERER in header and verify"}]}],["$","li","1390862",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1390862","className":"text-blue-600 hover:underline","children":"http_referer lost using https"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

Can referer header be trusted when using https?

Answers (1)

Related Questions