Can I rely on Referer HTTP header?
Can I rely on Referer HTTP header in my web application? I want to check if the user came from a particular domain/webpage, and if he or she did, then change the layout of my site accordingly.
I know that people can disable Referer in their browsers. Any ideas how often users do that? Can I rely on Referer being present in 99%?
Answer
As a general rule, you should not trust the HTTP Referer Header for any matter of importance, except for purely informative statistical analysis of who your visitors are or when looking for patterns of behaviour among the users of your own site.
Under no circumstance it is advisable that you use this header for AAA (Authentication, Authorization and Accounting), unless, as commented above, you consider Accounting the simple traffic analysis of your visitor's behavior.
The Common Weakness Enumeration lists this weakness as CWE-293: Using Referer Field for Authentication:
The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
Some other and more specific reasons not to trust the Referer Header, include:
In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.
For privacy reasons, many corporate proxies are configured to remove/strip this header, so even if a Web browser sends this header, a corporate proxy software may remove it.
Out in the wild security solutions, malware, browsers embedded into applications... are known to modify and/or cheat on the contents of this header.
Beware that:
- When "linking" from HTTPS to HTTPS, most standard Web browsers will inform this header even when changing the domain name or network address destination.