Interview question: What is an empty Referer, and when will an empty Referer appear?

Language 2023-06-11 22:58:00 views: null

Interview question: What is an empty Referer, and when will an empty Referer appear?

An empty Referrer means that the Referer value in the HTTP request header is empty. Usually, when the user directly enters the URL in the address bar of the browser or accesses the website through bookmarks or external links, the Referrer is set to empty because there is no redirected source page.

For example, the request header will not carry Referer in the following two situations:

  1. When the user directly enters the URL in the browser address bar to visit a website;
  2. When jumping from an HTTPS page to an HTTP page, the Referer will be set to null by the browser.

It should be noted that for some high-security sites (such as banks and businesses), the administrator may limit the content of the Referrer in the request header or force the use of the HTTPS protocol, and only allow same-origin sites to obtain relevant information.

Empty Referrer can be used for some attack methods, such as CSS attack, URL recording and statistics, etc. It can also be used for privacy protection, reducing the precision analysis of targeted advertisements and the threat of repeated clicks on piglets.

In order to ensure the safety and convenience of the application, in actual development, some technical solutions can be adopted to avoid the problems caused by empty Referrer, including:

  1. Prevent third-party with empty referring: Most web frameworks and firewalls currently prohibit empty Referrer requests, and only allow requests from standard HTTP pages or HTTPS pages. Strengthen the defense against third-party attacks and cross-site scripting attacks CSRF.

  2. Control application behavior: Try to reduce the attack chance of penetration testing, such as setting form submission addresses and shared file links to only be accessible by specially generated temporary links on the page. Limit the IP source of the target, and adopt technical measures such as anti-spam strategies.

To sum up, empty Referrer is not a weaponized "forgery", but a security risk worthy of vigilance. Finding technical means to assist the existing authentication mechanism in daily applications is an indispensable measure for website managers to ensure the integrity of the website, the safe operation of back-end services, and the security of user data.

Guess you like

Origin blog.csdn.net/qq_51447496/article/details/131141700
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com