问题
We received PHP code from a developer with a web-stats script that relies solely on $_SERVER['HTTP_REFERER']
. With cURL, you can easily fake it as follows:
curl_setopt($curl, CURLOPT_REFERER, "client website");
and I'm looking for a way to prevent it. This can even be done by the client website as well, to have higher stats. I'm looking for a way to prevent this spoofing. Is this possible at all? If so, how can this be achieved?
回答1:
No, there's no definitive way of determing the URL Referrer.
As per the HTTP spec, HTTP_REFERER
is optional. Some firewall packages strip these out by default, some clients don't send the referer value, and and there are numerous ways (like the one you showed in the question) to modify this value.
In short, the HTTP_REFERER
value cannot be trusted. There will always be some way to modify these values. This is mentioned in the PHP manual documentation for $_SERVER (emphasis mine):
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
To answer your question: no, there is no way to prevent HTTP_REFERER
value being altered. I'd suggest you double-check the value before using it (optionally, apply htmlspecialchars() on it to prevent injection) or don't use it at all. Unfortunately, it is a "take it or go home" deal.
回答2:
There is nothing you can do about this referrer
tempering. All of the web-stats
scripts are depending on this referrer
. Even the giant web-stats
sites including google-analytics gets fooled by this fake referrer
.
It could be a nice solution to check back the referrer url. I mean visit the referrer and check whether your url exists there or not. But of course its time consuming, slow, and also requires a huge bandwidth as well. However it is not enough to overcome this issue.
Here are few problems at where you'll not find your link when you are tracking back the referrer url:
What if the referred url is behind the session? For example a link came from email like yahoo, google, or from a private forum.
What if the url came from a
javascript
link/click?Link from an
iframe
is nonetheless ofjavascript
link as well.
来源:https://stackoverflow.com/questions/21807604/preventing-curl-referrer-spoofing