HttpServletRequest - how to obtain the referring URL?

Question

I need to log URLs that are linking to my site in a Java Servlet.

Did I understand you correctly that if I found your site in google and opened the link then you logged 'google.com'? — Roman, Apr 15 '10 at 21:10

score 336 · Accepted Answer · edited Sep 28 '18 at 14:04

336

It's available in the HTTP referer header. You can get it in a servlet as follows:

String referrer = request.getHeader("referer"); // Yes, with the legendary misspelling.

You, however, need to realize that this is a client-controlled value and can thus be spoofed to something entirely different or even removed. Thus, whatever value it returns, you should not use it for any critical business processes in the backend, but only for presentation control (e.g. hiding/showing/changing certain pure layout parts) and/or statistics.

For the interested, background about the misspelling can be found in Wikipedia.

edited Sep 28 '18 at 14:04

Simeon Leyzerzon

18,658
9
54
82

answered Apr 15 '10 at 21:09

BalusC

1,082,665
372
3,610
3,555

2

does it make a difference "referer" & "Referer" ? – ante.sabo Nov 02 '12 at 12:06
8

@ante: no, the header lookup is case insensitive. – BalusC Nov 02 '12 at 12:10
3

Note that any header can be `null`. – rds Jan 03 '16 at 22:46

score 27 · Answer 2 · answered May 15 '13 at 15:01

27

Actually it's: request.getHeader("Referer"), or even better, and to be 100% sure, request.getHeader(HttpHeaders.REFERER), where HttpHeaders is com.google.common.net.HttpHeaders

answered May 15 '13 at 15:01

wpodgorski

785
9
12

11

From the Java EE API docs for the method [`getHeader(String name)`](http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getHeader(java.lang.String)) (quote): `"The header name is case insensitive."` – informatik01 May 25 '13 at 21:48
8

upvote anyway for HttpHeaders reference. Apache HTTP is another good one: `org.apache.http.HttpHeaders` – Barett Jan 05 '15 at 19:53
`org.apache.http.HttpHeaders` doesn't have ORIGIN header? `com.google.common.net.HttpHeaders` has it. – Loner May 07 '23 at 06:39

score 17 · Answer 3 · edited Sep 19 '14 at 21:54

17

The URLs are passed in the request: request.getRequestURL().

If you mean other sites that are linking to you? You want to capture the HTTP Referrer, which you can do by calling:

request.getHeader("referer");

edited Sep 19 '14 at 21:54

Buhake Sindi

87,898
29
167
228

answered Apr 15 '10 at 21:11

Chris K

11,996
7
37
65

Don D · Answer 4 · 2017-03-02T10:58:07.017

As all have mentioned it is

request.getHeader("referer");

I would like to add some more details about security aspect of referer header in contrast with accepted answer. In Open Web Application Security Project(OWASP) cheat sheets, under Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet it mentions about importance of referer header.

More importantly for this recommended Same Origin check, a number of HTTP request headers can't be set by JavaScript because they are on the 'forbidden' headers list. Only the browsers themselves can set values for these headers, making them more trustworthy because not even an XSS vulnerability can be used to modify them.

The Source Origin check recommended here relies on three of these protected headers: Origin, Referer, and Host, making it a pretty strong CSRF defense all on its own.

You can refer Forbidden header list here. User agent(ie:browser) has the full control over these headers not the user.

HttpServletRequest - how to obtain the referring URL?

4 Answers4

Linked

Related