Avatar of steva

asked on 

How reliable is HTTP_REFERER to use in mod_rewrite?

I notice that a lot mod_rewrite rules are based on the value in HTTP_REFERER but can this be trusted?  Don't most browsers have a Privacy mode now that leaves HTTP_REFERER empty?  And can't an attacker easily modify HTTP_REFERER?

It seems that legitimate users browsing privately would get blocked if the rule was looking for something special in HTTP_REFERER, and illegitimate users could put whatever you're looking for in there.
Apache Web Server

Avatar of undefined
Last Comment

8/22/2022 - Mon