Http referrer = Worthless

Spent a few days trying out different ways to validate a request was coming from where I thought it was -using http referrer.  Finally got it all working, packaged up and configurable and went to setup a test environment for the QA guys – and told them to test “just set an entry in your hosts file…” and it hit me – anyone can just put an entry in their hosts file and make the request look like it’s coming from wherever they want.  I knew it’d be possible to fake it out – but it didn’t dawn on me how easy it’d be until I was done.


One thought on “Http referrer = Worthless

  1. Yeah, unfortunately there is no good way to verify the referrer, or as I do with FireFox, turn off referrers altogether. For things like ajax, it becomes a lot easier if the user is logged in, because then you can validate queries and so for that are linked to the users ID’s, making unauthorized access or spoofed calls much harder. When you’re talking about users who are not logged in, the options disappear quickly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s