Feedback on: CGI Security : Better Safe than Sorry

irt.org | About | Feedback | 2916 [ previous next ]

Feedback on:
CGI Security : Better Safe than Sorry

Sent by
Neil Fraser on June 28, 2001 at 10:14:03:

Worth:
Very worth reading

Length:
Too short

Technical:
Just right

Comments:
From the article: "In other cases, you can use the CGI environment variable HTTP_REFERER, which provides the URL of the document that the browser points to before accessing the CGI script, to restrict access."

No! HTTP_REFERER can never be used to "restrict access". I can telnet to port 80 and forge any referer header that I care to type. The only time that HTTP_REFERER can be used is when you are dealing with an authenticated legitimate user, and you want to verify that they haven't accidentally clicked on a 3rd party "trojan" link that submits a form they weren't intending.

What's New

How to do the impossible with Google Gears

Out and About

Last Updated: 21st December 2007. Maintained by: Martin Webb
irt.org liability, trademark, document use, privacy statement and software licensing rules apply.