7 replies to this topic

[Upstream]

A lot of tutorials, post etc which I have read are somehow related to the save processing of forms and/or user input. It struck me that the matter of checking the refereeing url is not mentioned often. I always check the HTTP referer before processing initial requests/posts with something like:

if($_SERVER['HTTP_REFERER'] != saveUrl) { 

  // Invalid referrer, do something

  exit;

}

Is it left out because it is assumed as being standard, has it been rendered obsolete or am I missing something here? I always thought it was good practice and critical to counter brute force attacks and other security issues?

[Orjan]

A lot depends on how your code will be used. At times, you might want to allow it. Also, this kind of security stuff is usually left out in tutorials, as they are made to point out something else, and then you leave out the stuff you're not writing your tutorial about.

[Alexander]

Some things to take in to consideration assuming you were asking about the general consensus on its use:
http://en.wikipedia....Referrer_hiding

As on some of my websites referers are spam or not available I would assume it is not wise to use this for common operations (i.e. anti-hotlinking or security)

[Mark Wylde]

I'm not sure if it's the case these days but I remember having trouble with the referrer if the user has some strange antivirus/firewall system installed which blanks it out. I think it was Norton.

[Upstream]

Thanks you all for your input on this!

Based on your reactions, and some more reading on the subject, I have concluded that it can be an effective extra layer of security at low cost off resources.

I realise that there is a trade-off to be made regarding usability thus making it less practical in use for the publicly available parts of high traffic (commercial) sites. But for more secure parts of a website:

What is your opinion on using this technique as a security measure to protect against the mindless bashing of script kiddies by preventing them from taking up server resources through cutting off the execution before implementing any further resources like database connections?

[Mark Wylde]

I personally disagree that it adds any level of security. These days any script kiddie can find out the referrer can be forged by simply adding the referrer HTTP header to a request. There's no level of security it provides that I feel is worth the hassle it places on you having to design it, and your visitors from having problems such as:

• Bookmarks to certain pages may not work
  
• Antiviruses sometimes block the referrer

In my opinion the only thing the referrer is good for it tracking where your visitors are coming from.

Edited by Mark Wylde, 04 April 2011 - 01:31 PM.

[Alexander]

Yes, The number one rule of security: User provided input, even something as basic as headers, is insecure.

[Upstream]

Thanks for your thoughts on this. I started this post because it bothered me that most advice given on secure scripting didn’t mention refer checking at all. I started wondering if I was missing something completely. I haven’t worked with PHP for the past few years and maybe the problem is that I still think like it’s 1999 when referer checking was considered to be sexy and hardware to be expensive.

Still I am afraid that I will hold on to it for a little longer as for I encounter countless poorly coded and badly maintained website done by people who only copy code from tutorials to get it done. I would not mind as much if these sites would not enable spammers and alike to do their thing.

PS. I took a look at your site and some of your code it looked nice and sharp to me!