-2

I want to know if it is safe to check the origin/referer header in the https request in backend to know the frontend domain.

As far as I know:

  1. Those headers are set by the browser automatically. People cannot change it via javascript, except they use some modified browser or plugin.

  2. Someone will declare that some proxy software can change the http packet, so someone may use this between the frontend and the backend to fake those headers. But as far as I am concerned, https is encrypted. So this would be impossible.

So if I check those headers and the request is indeed origin from the browser, those headers would reflect the true domain of frontend. Am I correct?

Thanks for the help!

Xingce Bao
  • 51
  • 4
  • 2
    Yes, in a browser those cannot be faked. From anywhere else (curl, wget, postman) they can be set to whatever the requester wants. Do with that what you want. You cannot distinguish a browser from a postman request. – luk2302 May 24 '23 at 18:18
  • Does this answer your question? [How to spoof http referer](https://stackoverflow.com/questions/3104647/how-to-spoof-http-referer) – Rob Napier May 24 '23 at 18:30
  • Yes it can be faked. If you are asking because of some security feature you want to introduce, you should add that context. – Evert May 24 '23 at 18:32
  • @RobNapier in fact my question is whether https can resolve the spoofing issue of http here. – Xingce Bao May 25 '23 at 08:48
  • No, it cannot, for all the reasons we already gave. Https protects against MITM and someone spying on your data in transit, it does not all protect you from malicious clients because it simply can't. – luk2302 May 25 '23 at 20:01

1 Answers1

0

Who are you trying to protect the header from? As you seem to understand, the end user can set the header to whatever they want:

except they use some modified browser or plugin.

or a non-browser client, or a user-controlled HTTPS proxy.

You're correct that it is difficult (and to a limited sense "impossible") for a random third party to modify the request if the user's system is set up correctly (HTTPS certificates are valid and the user's environment is not compromised). So in that way, the Referer header is protected like the rest of the request.

But it can say whatever the end user wants it to say. It's only the "true domain" if the end user doesn't modify it.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • hmm, I understand the point. In fact still the user can use a user controlled HTTPS proxy to change it since the user itself knows all the https keys. So they can still do what they want. Https just makes it more troublesome. – Xingce Bao May 25 '23 at 08:47
  • Correct. HTTPS protects a channel from outsiders, it does not protect the parties from each other. – Rob Napier May 25 '23 at 12:00