防止cURL Referrer spoofing [英] Preventing cURL Referrer spoofing

问题描述

我们收到来自开发人员的PHP程式码，使用的网页统计资料只依靠 $ _ SERVER ['HTTP_REFERER'] 。使用cURL，你可以很容易地伪造它，如下：

We received PHP code from a developer with a web-stats script that relies solely on $_SERVER['HTTP_REFERER']. With cURL, you can easily fake it as follows:

curl_setopt($curl, CURLOPT_REFERER, "client website");

我正在寻找一种方法来防止它。这甚至可以由客户端网站做到，有更高的统计。我在寻找一种方法来防止这种欺骗。这是可能吗？

and I'm looking for a way to prevent it. This can even be done by the client website as well, to have higher stats. I'm looking for a way to prevent this spoofing. Is this possible at all? If so, how can this be achieved?

推荐答案

不，没有明确的方法来确定网址引荐来源网址。

根据 HTTP规范 ， HTTP_REFERER 是可选的。默认情况下，一些防火墙包会剥离它们，一些客户端不发送引用者值，并且有很多方法（如在问题中显示的那些）修改此值。

No, there's no definitive way of determing the URL Referrer.

As per the HTTP spec, HTTP_REFERER is optional. Some firewall packages strip these out by default, some clients don't send the referer value, and and there are numerous ways (like the one you showed in the question) to modify this value.

总之， HTTP_REFERER 值不能被信任。总有一些方法可以修改这些值。这在 PHP手册文档中有关 $ _ SERVER （强调）：

In short, the HTTP_REFERER value cannot be trusted. There will always be some way to modify these values. This is mentioned in the PHP manual documentation for $_SERVER (emphasis mine):

网页的地址用户代理到当前页面。这由用户代理设置。并非所有用户代理都会设置此选项，并且有些提供将HTTP_REFERER修改为功能的功能。 总之，它不可信任。

要回答您的问题， > no 方式防止 HTTP_REFERER 值被更改。建议您在使用之前仔细检查该值（可以选择应用 htmlspecialchars（） ，以防止注射）或不使用它。不幸的是，这是一个采取或回家交易。

To answer your question: no, there is no way to prevent HTTP_REFERER value being altered. I'd suggest you double-check the value before using it (optionally, apply htmlspecialchars() on it to prevent injection) or don't use it at all. Unfortunately, it is a "take it or go home" deal.

这篇关于防止cURL Referrer spoofing的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！