Re: Referer Spoofing

The referrer header from a legit stock browser is not going to lie but it
might be missing or truncated for various reasons (for example because of a
Referrer Policy). Also doesn't show the redirect history so it might be
misleading (the originating page might have been hacked to link through a
redirector).

-Dan Veditz

On Sun, Jul 29, 2018 at 3:45 PM, Ricardo Iramar dos Santos <
riramar@gmail.com> wrote:

> Hi All,
>
> Can we rely on referer request header?
> Not sure if here is the right place to ask such question but searching
> over the web I couldn't find any official documentation from any modern
> browser explicitly saying that referer request header cannot be spoofed
> without using internal API (e.g. browser extensions).
> In the past IE/Edge had some issues (https://www.brokenbrowser.
> com/referer-spoofing-defeating-xss-filter/) but this was fixed long time
> ago.
> If you google about it most of documentation available over the web are
> saying do not trust on referer request header but if officially there is
> no methods to change it why not?
>
> Thanks!
> Ricardo Iramar
>

Received on Monday, 30 July 2018 00:44:40 UTC