我可以依赖Referer HTTP 标头吗? [英] Can I rely on Referer HTTP header?
问题描述
我可以在我的 Web 应用程序中依赖 Referer HTTP 标头吗?我想检查用户是否来自特定的域/网页,如果是,则相应地更改我的网站布局.
Can I rely on Referer HTTP header in my web application? I want to check if the user came from a particular domain/webpage, and if he or she did, then change the layout of my site accordingly.
我知道人们可以在他们的浏览器中禁用 Referer.任何想法用户多久这样做一次?我可以依赖 99% 的 Referer 吗?
I know that people can disable Referer in their browsers. Any ideas how often users do that? Can I rely on Referer being present in 99%?
推荐答案
作为一般规则,您不应该相信任何重要的 HTTP Referer Header,除了纯粹的信息统计分析您的访问者是谁或在您自己网站的用户中寻找行为模式时.
As a general rule, you should not trust the HTTP Referer Header for any matter of importance, except for purely informative statistical analysis of who your visitors are or when looking for patterns of behaviour among the users of your own site.
在任何情况下都不建议将此标头用于 AAA(身份验证、授权和计费),除非如上所述,您认为计费是对访问者行为的简单流量分析.
Under no circumstance it is advisable that you use this header for AAA (Authentication, Authorization and Accounting), unless, as commented above, you consider Accounting the simple traffic analysis of your visitor's behavior.
Common Weakness Enumeration 将此弱点列为 CWE-293: Using Referrer Field for Authentication:
The Common Weakness Enumeration lists this weakness as CWE-293: Using Referer Field for Authentication:
HTTP 请求中的 referer 字段很容易修改,因此不是消息完整性检查的有效方法.
The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
不信任Referer Header的其他一些更具体的原因包括:
Some other and more specific reasons not to trust the Referer Header, include:
通常,当从 HTTP <-> HTTPS (TLS) 连接链接"时,大多数标准 Web 浏览器不会通知此标头.
In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.
出于隐私原因,许多公司代理都配置为删除/剥离此标头,因此即使 Web 浏览器发送此标头,公司代理软件也可能将其删除.
For privacy reasons, many corporate proxies are configured to remove/strip this header, so even if a Web browser sends this header, a corporate proxy software may remove it.
众所周知,安全解决方案、恶意软件、嵌入应用程序的浏览器...会修改和/或欺骗此标头的内容.
Out in the wild security solutions, malware, browsers embedded into applications... are known to modify and/or cheat on the contents of this header.
请注意:
- 当从 HTTPS 链接"到 HTTPS 时,即使更改域名或网络地址目标,大多数标准 Web 浏览器也会通知此标头.
这篇关于我可以依赖Referer HTTP 标头吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
