Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: SF_form_secure

by gellyfish (Monsignor)
on Oct 24, 2006 at 11:31 UTC ( #580241=note: print w/replies, xml ) Need Help??

in reply to SF_form_secure

I get nervous when I see HTTP_REFER and (unqualified) security mentioned together.

Leaving aside the fact that the Referer header is trivially spoofed in a client, many "personal firewalls", proxies and other internet security software will remove or otherwise anonymise the the Referer header: the HTTP Specification makes the suggestion that it might be removed.

Beyond that it's not exactly clear how this might be used.


Replies are listed 'Best First'.
Re^2: SF_form_secure
by SFLEX (Chaplain) on Oct 24, 2006 at 12:02 UTC
    I know all to well the many ways referers can be spoofed. This is way the code has settings that can change what you want to check for a page. The main action that should be used is the QUERY_STRING encoding, witch can secure the data in the QUERY_STRING from being tamperd with. The QUERY_STRING encoding can be checked allown or if you want to increace the security check you can give a matching referer and/or check the referer encoding witch was the last QUERY_STRING encoding. 1) This code can be use to stop anyone from tampering with your url's 2)This code can be used to secure one page to another. 3) this code can be used to add an experation to links made. 4) this code can be used to only allow the one that requested the link encoding to work for. has more uses....

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://580241]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (9)
As of 2016-10-25 19:29 GMT
Find Nodes?
    Voting Booth?
    How many different varieties (color, size, etc) of socks do you have in your sock drawer?

    Results (327 votes). Check out past polls.