Home Articles FAQs XREF Games Software Instant Books BBS About FOLDOC RFCs Feedback Sitemap

Feedback on: CGI Security : Better Safe than Sorry, June 28, 2001 at 10:14:03:

You are here: irt.org | About | Feedback | 2916 [ previous next ]

Feedback on:
CGI Security : Better Safe than Sorry

Sent by
Neil Fraser on June 28, 2001 at 10:14:03:

Very worth reading

Too short

Just right

From the article: "In other cases, you can use the CGI environment variable HTTP_REFERER, which provides the URL of the document that the browser points to before accessing the CGI script, to restrict access."

No! HTTP_REFERER can never be used to "restrict access". I can telnet to port 80 and forge any referer header that I care to type. The only time that HTTP_REFERER can be used is when you are dealing with an authenticated legitimate user, and you want to verify that they haven't accidentally clicked on a 3rd party "trojan" link that submits a form they weren't intending.

©2018 Martin Webb