Level 31
Yes it's true. Anybody can send anything in HTTP_REFERER header, you shouldn't trust it.
Jun 10, 2025
4
Level 3
$_SERVER['HTTP_REFERER'] is a browser-sent value that usually tells you which page the user came from.
ChatGPT saying like ,
No, not really:
HTTP_REFERER can be missing or faked, depending on browser settings.
It should not be relied on for security, but it’s okay for flow control or basic UX.
is that true?
Level 3
difficult to understand this type security concern
Level 31
@UmaWorld Just don't rely on this value for security consideration.
For example, deciding to allow access to your application based on this header is wrong. But deciding to show a customized greeting to user may be acceptable.
1 like
Level 80
@umaworld Yes, it’s true. The HTTP_REFERER heading can be spoofed or just not sent at all. For example, after clicking a link with an rel="noreferrer" attribute.
From https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Attributes/rel/noreferrer:
The
noreferrerkeyword for therelattribute of the<a>,<area>, and<form>elements instructs the browser, when navigating to the target resource, to omit theRefererheader and otherwise leak no referrer information — and additionally to behave as if thenoopenerkeyword were also specified.
So you shouldn’t be relying on this header being present, let alone being trustworthy.
1 like
Please or to participate in this conversation.