2

I am working on this simple app which requires me to set custom referer value before redirecting.

Suppose A clicks on link X which I posted in Facebook. Now if I check the referer value in my server, then it shows 'facebook.com'. Now A after clicking link X is being redirected to B and B shows referer 'facebook.com'. But I want it to show 'mywebsite.com' in B instead of 'facebook.com'. How can I achieve this?

Please note that I read in MDN about the 'Forbidden Header Names' but there's this website called Hitleap which is a traffic exchange website. They let users set custom referer values for the traffic they send. So I guess it's possible to do it.

This is my route:

router.get('/:id', (req, res) => {
      res.set('Referer', 'https://mywebsite.com');
      res.redirect('https://boomboom.com');
});

UPDATE

I've found that it's not possible in conventional methods of setting the header. So, I have been thinking of achieving this result by using the following two methods but I don't know if that is going to work. So looking for feedbacks.

Method 1: So when a user clicks on my link, he will visit a page on my server before redirecting to the final destination. The page on my server will just say "redirecting". And when that happens I will also set the full header for the user, including "Referer" field. Then redirect to the actual page.

Method 2: Same approach as method 1 but this time I would like to copy the full header from the client but change the referer value when the user is in my "redirecting" page and the redirect to the final destination.

Are any of these processes possible? If you have any other solution please share it here. Thanks

O. Jones
  • 103,626
  • 17
  • 118
  • 172
Zak
  • 860
  • 16
  • 39
  • 2
    impossible because referer is set by the browser, not the server response – Lawrence Cherone Sep 01 '20 at 21:35
  • Hey thanks for replying. Do you mean they are generating fake traffic and that's why they are able to manipulate 'referer'? – Zak Sep 01 '20 at 21:40
  • There is no way to force the browser to set the `Referer` to something. What you can do is return a `200` instead of a `302`, and then have the page contents cause an automatic redirect to the target site. `` is a common approach, but according to [this](https://stackoverflow.com/questions/2985579/does-http-equiv-refresh-keep-referrer-info-and-metadata) it may not send the `Referer` in all browsers. Another answer there suggests a Javascript form submission. – Kevin Christopher Henry Sep 09 '20 at 13:23
  • 1
    Sites like Hitleap act as a proxy. They aren't returning a HTTP redirect, they're creating their own request on the server (so they can set the `Referer` to anything they want) and then returning the results to your browser. – Kevin Christopher Henry Sep 09 '20 at 13:24
  • @KevinChristopherHenry Hey thanks for the reply. If you don't mind can you provide an elaborate solution? I have checked the page you linked above and the solutions there are not clear. They just say to put meta refresh or to put a form. My code right now is pretty simple. I don't have an html page being rendered. Rather ```router.get('/:id',...)``` just redirects to the destination page which is not in my app. – Zak Sep 09 '20 at 13:52
  • As Kevin said, you can take the request, modify it and send a request from your server to target server, then pipe the response back to the user. Two things you should consider though, One: ethics, if it has any other purpose than anonimity, two: folks at the target server would know of this, if they wanted to. Check this project: https://github.com/http-party/node-http-proxy – Orion Cygnus Sep 15 '20 at 08:55
  • @OrionCygnus Thanks for the link. Is it possible to implement proxy server in a single route? What I mean is that whenever a user clicks on my link, he will get into a proxy server and then get redirected from the proxy server. Proxy server will be setup in that route only. Is that possible? – Zak Sep 15 '20 at 12:35
  • You can have it running on a different port and have only one valid route, and have a route on your main server redirect to it? IDK, be creative :) – Orion Cygnus Sep 17 '20 at 14:16

1 Answers1

1

Referer headers in the HTTP protocol go from browser to server, not the other direction. If your server sends one to a browser, the browser ignores it.

Standard commercial browsers make it hard to mess around with the value of the Referer header from browser Javascript. Because cybercreeps. Your plan might be perceived by some websites as an attempt to do a cross-site request forgery attack. So think through your goal carefully.

You could, from your site, serve a page that causes your user's browser immediately to redirect to the desired site. A page something like this may do the trick for you. This means refresh the current page after 0 seconds from the URL https://example.com.

The title tag sets the browser-tab caption to "Redirecting..." while the refresh is in progress. I've found that useful in single-signon redirection. It lets a user know something is coming.

<html>
  <head> 
    <meta http-equiv="Refresh" content="0; URL=https://example.com/">
    <title>Redirecting...</title>
  </head>
</html>

If that doesn't set the correct Referer, which it might not in all browsers, you can use a little bit of Javascript to load an invisible form and then submit it immediately.

This tiny page might do it for you:

<html>
   <head>
      <title>Redirecting...</title>
   </head>
   <body>
    <form method="GET" action="https://example.com/">
    </form> 
    <script>
       window.onload = function(){{
          document.forms[0].submit()
       }}
    </script>
  </body>
</html>

This second approach won't work if your user disables browser Javascript. But, then again, most websites won't work in that case.

You can troubleshoot all this with your browser devtools Network tab. It shows headers for each request.

Community
  • 1
  • 1
O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • Thanks for the detailed answer. I tried this solution as Kevin commented above and the referrer does change to my site instead of the one the user's origin. I was hoping I could set it. I've read online and Kevin also said that it's possible to make new headers in proxy server. So is that really possible? – Zak Sep 10 '20 at 16:41
  • Yes, it's possible. But keep in mind that a proxy server looks like a man-in-the-middle attack on the integrity of browser-to-server communications. You're spoofing the referer that way. – O. Jones Sep 15 '20 at 11:08
  • Is it possible to implement proxy server in a single route? What I mean is that whenever a user clicks on my link, he will get into a proxy server and then get redirected from the proxy server. Proxy server will be setup in that route only. Is that possible? – Zak Sep 15 '20 at 12:36