CGI Security : Better Safe than Sorry
Neil Fraser on June 28, 2001 at 10:14:03:
Very worth reading
From the article: "In other cases, you can use the CGI environment variable HTTP_REFERER, which provides the URL of the document that the browser points to before accessing the CGI script, to restrict access."
No! HTTP_REFERER can never be used to "restrict access". I can telnet to port 80 and forge any referer header that I care to type. The only time that HTTP_REFERER can be used is when you are dealing with an authenticated legitimate user, and you want to verify that they haven't accidentally clicked on a 3rd party "trojan" link that submits a form they weren't intending.