我可以依赖Referer HTTP标头吗? [英] Can I rely on Referer HTTP header?
问题描述
我可以在网络应用程序中依赖 Referer HTTP标头吗?我想检查用户是否来自特定的域名/网页,如果他或她这样做,则相应地更改我的网站布局。
Can I rely on Referer HTTP header in my web application? I want to check if the user came from a particular domain/webpage, and if he or she did, then change the layout of my site accordingly.
我知道人们可以在他们的浏览器中禁用 Referer 。任何想法用户经常这样做?我可以依赖 Referer 出现在99%?
I know that people can disable Referer in their browsers. Any ideas how often users do that? Can I rely on Referer being present in 99%?
推荐答案
As一般规则,您应该不信任HTTP Referer Header以了解任何重要事项,除了对访问者是谁或在您自己网站的用户之间寻找行为模式的纯信息统计分析。
As a general rule, you should not trust the HTTP Referer Header for any matter of importance, except for purely informative statistical analysis of who your visitors are or when looking for patterns of behaviour among the users of your own site.
在任何情况下都不建议您使用此标题进行AAA(身份验证,授权和记帐),除非如上所述,您认为Accounting是简单的流量分析访问者的行为。
Under no circumstance it is advisable that you use this header for AAA (Authentication, Authorization and Accounting), unless, as commented above, you consider Accounting the simple traffic analysis of your visitor's behavior.
OWASP(开放式Web应用程序安全项目)使用 Web应用程序中AAA的Referer标头。
The OWASP (Open Web Application Security Project) considers it a "Vulnerabilty" using the Referer header for AAA in your Web Application.
其他一些更具体的原因不是信任Referer Header,包括:
Some other and more specific reasons not to trust the Referer Header, include:
通常,当从HTTP< - > HTTPS(TLS)连接链接时,大多数标准Web浏览器都不会通知此标题。
In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.
出于隐私原因,许多公司代理配置为删除/删除此标头,因此即使Web浏览器发送此标头,公司代理软件也可能将其删除。
For privacy reasons, many corporate proxies are configured to remove/strip this header, so even if a Web browser sends this header, a corporate proxy software may remove it.
在野外安全解决方案中,恶意软件,嵌入到应用程序中的浏览器......已知会修改和/或欺骗此标题的内容。
Out in the wild security solutions, malware, browsers embedded into applications... are known to modify and/or cheat on the contents of this header.
请注意:
- 当链接时HTTPS到HTTPS,大多数标准Web浏览器即使在更改域名或网络地址目的地时也会通知此标题。
这篇关于我可以依赖Referer HTTP标头吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
