Reprinted from: https://www.cnblogs.com/bukudekong/p/3829852.html
Referer of HTTP
In the security training, it is mentioned that the referer can be used to judge the security. There is also an option to enable referer in the hackbar. Then, what role does the referer play?
(The following is the integration of some data collected, the links are placed at the bottom, and will not be specified one by one)
1. Open the httpfox packet capture plugin, search for 126.com in Baidu, click the website entry in the search item, and view the http request through the packet capture tool
Referer is visible in the Headers section of the http request.
Referer http://www.baidu.com/s?tn=98835442_hao_pg&ie=utf-8&f=3&wd=126.com&oq=126.&bs=126.com&rsv_bp=1&inputT=5799&rsp=0
The Referer in the Http protocol header is mainly used to let the server determine the source page, that is, which page the user came from. It is usually used by websites to count the source of the user, whether it comes from the search page, or is linked from other websites, or from other websites. Bookmarks, etc., so that the website can be positioned reasonably.
Referer is sometimes used as anti-leech, that is, when downloading, it is determined whether the source address is within the website domain name, otherwise it cannot be downloaded or displayed. Many websites, such as Tianya, use the Referer page to determine whether users can download pictures.
Of course, for some malicious users, it is also possible to forge Referer to obtain certain permissions, which should be taken into account when designing the website.
It can also be used for the security of e-commerce websites. Use referer on the page where important information such as credit card is submitted to determine whether the previous page is your own website. If not, it may be that hackers use a form written by themselves to submit, in order to be able to skip. You have the purpose of javascript validation in the previous page.
But be careful not to use Referer for authentication or other very important checks, because Referer is very easy to change on the client side.
(A plugin for Firefox, RefControl, modifies the Referer reference)
For browsers, the Referer is generally not sent in the following situations, because there may be potential security issues:
|
1
2
3
4
5
6
7
8
9
|
1.用户手动输入网址或是从收藏夹/书签中访问.
2.页面从Https跳转到Http;应该是处于安全考虑,该点在RFC-2616中有说明;主流浏览器均遵守这个规则,比如IE、FF;但默认情况下Https到Https是会发送Referer的
安全问题在于有可能把地址中含有的一些关于用户的敏感信息发送到其他恶意网站上.
3、由于FF提供了很强大的自定义参数设置功能,所以我们可以通过about:config页面修改以下两个选项的默认设置:
network.http.sendRefererHeader (
default
=2)
设置Referer的发送方式,0为完全不发送,1为只在点击链接时发送,在访问页面中的图像什么的时候不发送,2为始终发送。
|
refer to:
http://blog.csdn.net/mutsinghua/article/details/5187595
http://s99f.blog.163.com/blog/static/351183652009086578735/