<div>
<div class="content wysiwyg-content">
I notice that a lot mod_rewrite rules are based on the value in HTTP_REFERER but can this be trusted? &nbsp;Don't most browsers have a Privacy mode now that leaves HTTP_REFERER empty? &nbsp;And can't an attacker easily modify HTTP_REFERER? <br />
<br />
It seems that legitimate users browsing privately would get blocked if the rule was looking for something special in HTTP_REFERER, and illegitimate users could put whatever you're looking for in there.
</div>
</div>


I notice that a lot mod_rewrite rules are based on the value in HTTP_REFERER but can this be trusted?  Don't most browsers have a Privacy mode now that leaves HTTP_REFERER empty?  And can't an attacker easily modify HTTP_REFERER? 

It seems that legitimate users browsing privately would get blocked if the rule was looking for something special in HTTP_REFERER, and illegitimate users could put whatever you're looking for in there.

How reliable is HTTP_REFERER to use in mod_rewrite?

The Apache HTTP Server is a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Typically Apache is run on a Unix-like operating system, but it is available for a wide variety of operating systems, including Linux, Novell NetWare, Mac OS-X and Windows. Released under the Apache License, Apache is open-source software.