[thelist] Recommended use of HTTP_REFERER?

Simon Willison cs1spw at bath.ac.uk
Fri Oct 24 13:02:26 CDT 2003

John.Brooking at sappi.com wrote:
>    Question 1) Is that the recommended way of controlling access to your
>    Question 2) If not, what is?
> site's scripts?

Require the user to be logged in, using cookies or whatever your 
favourite authentication method is. For many scripts (such as a form 
feedback script) it doesn't make sense to require user logins. In that 
case, just make sure the scripts can't do anything harmful (like send 
emails to any email address).

>    Question 3) Is there really any reason for HTTP_REFERER to exist, if it
> is not dependable?

It's essential for finding out what sites are linking to you. As a 
security tool though it is of almost no value at all - although it can 
be useful for preventing other sites from linking to your images 
(hotlinking). The algorithm for that is "if the referral field is set to 
a URL AND that URL isn't one on my site, don't serve the image". That 
way people using software that blocks the referral header will still be 
able to see the image.

Simon Willison
Web development weblog: http://simon.incutio.com/

More information about the thelist mailing list