Is HTTP REFERER safe enough?

Question

I have a PHP file which contains some important data of my website. I have set up the below written HTTP REFERER script in that file. For now its only accessible when redirected from a specific page of my website backend (which is password protected). Is it safe to assume that this file cannot be accessed by any other means?

<?php
    if ($_SERVER['HTTP_REFERER'] == "http://yoursite.com/IMPORTANT_FILE.php") {
        // continue
    } else {
        header("Location: http://yoursite.com/");
        exit(); //Stop running the script
        // go to form page again.
    }
?>

No, it can easily be set to anything you want using a number of browser plugins. — Joachim Isaksson, May 30 '14 at 13:23

score 6 · Answer 1 · edited May 23 '17 at 12:25

6

No. $_SERVER['HTTP_REFERER'] can be spoofed so it cannot be relied upon for safety or accuracy. This chrome extension makes it trivial for a newbie to do.

A better way to do this is authenticate your users before they attempt to access your protected files. Only after passing this authentication can they access them. See this answer for an example.

edited May 23 '17 at 12:25

Community

1
1

answered May 30 '14 at 13:22

John Conde

217,595
99
455
496

Is HTTP REFERER safe enough?

1 Answers1