[thelist] Referer Headers

Ken Schaefer ken at adOpenStatic.com
Fri Jul 16 07:24:20 CDT 2004 

Unless the clients are accessing the server by IP address, then this would
not be exposed by the Referer header. And again, unless you are using
publicly routable IP addresses, then this would be useless to anyone else.

So:
If your clients are accessing your intranet as http://intranet, then this is
the server name that your external sites would (possibly) see in their logs,
which doesn't help them at all

If your clients are accesssing your intranet as http://10.0.0.2, then this
is the IP address that your external sites might possibly see in their logs,
which again, doesn't help them at all. A lot of companies use non-routable
addresses for their internal networks.

However if you are using publicly routable IP addressses, or pubicly
resolvable DNS names, then it might be an issue...

Cheers
Ken

----- Original Message ----- 
From: "John Griffith" <john-thelist at host-it.co.uk>
Subject: RE: [thelist] Referer Headers


: I meant the ip of the internal web server, nothing more
:
: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
: [mailto:thelist-bounces at lists.evolt.org]On Behalf Of Ken Schaefer
: Sent: 16 July 2004 11:37
: To: thelist at lists.evolt.org
: Subject: Re: [thelist] Referer Headers
:
:
: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: "John Griffith" <john-thelist at host-it.co.uk>
: Subject: [thelist] Referer Headers
:
:
: : I have a few intranet pages here which link to
: : some competitors websites, and I don't really
: : want them to be able to see the referer
: : headers in their log files, as they give away all
: : sorts in internal information which for security
: : reasons I don't want other people
: : to see (the scripting language used, internal
: : IP addresses, etc). Is there any way to ask a
: : browser not to supply a referer header?
:
: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:
: I'm not sure how you'd give out an IP address, unless you're using a
: publicly resolvable DNS name.
:
: As for the scripting language, you could obfuscate it. Map an arbitrary
: extension to your processing engine. Then route all external links through
a
: "hand off" page, eg:
:
: <a href="leave.blah?linkID=1">external site 1</a>
:
: Cheers
: Ken

More information about the thelist mailing list