"NEVER Trust $ _SERVER ['HTTP_REFERER']" - Why?

Question

"NEVER Trust $ _SERVER ['HTTP_REFERER']" - Why?

I heard that he repeated over and over again that NEVER use $_SERVER['HTTP_REFERER']. What for?

I understand that this can easily manipulate the user, i.e. that the variable can be set to whatever the user wants. Thus, I fully understand why he should not be trusted in terms of security. But if, for example, all pages that should be accessible only to users checking the user check that the user is closed, where is the danger associated with this variable?

+4

php http referer

kittykittybangbang Aug 30 '15 at 1:17

source share

1 answer

Lea de groot · Answer 1 · 2015-08-30T01:22:50+0000

This may be a useful variable, but should not be relied upon. Firstly, it is not always provided (browsers can be configured so as not to provide referrers), so the code that relies on it may not work if it is not provided.

Secondly, this is a rare situation when good security will be trusted even by registered users - just because they are logged in, this does not mean that they are not trying to not do something.

Its fine to use it tentatively, but not to code with the assumption that its true ...

"NEVER Trust $ _SERVER ['HTTP_REFERER']" - Why?

More articles: