http_referer lost using https



Picture two web pages, both viewed using https. They reside on different domains.

How can I (reasonably) ensure that someone arriving at my page came via a hyperlink that resides on another (specific) domain? I only want to allow traffic from that domain. Any ideas on the best way to accomplish this would be appreciated.

I tried looking at the HTTP_REFERER, but apparently it is not being sent in this case. I know that the HTTP RFC specifies not sending the referrer info from https -> http, but does this also apply to https -> https across domains or ssl certs?

My domain runs on ASP.NET if it matters. I have no control over the source domain.

Thank you.

  • I know the referrer can be spoofed. I understand that I can’t keep everyone out. I need a solution that will work well enough to keep out the casually curious and keep people from bookmarking the target site, forcing them to arrive via the site I have no control over.

    BlueRonin07 сентября 2009, 20:36
  • Referer is easily spoofed, I don’t recommend it

    Mauricio Scheffer07 сентября 2009, 20:32

3 ответов


Elaborating on mjv's response: you should put HMAC (RFC 2104) into the URL. Have a shared secret between the two servers, and have the originating server generate links of the form /timestamp/hmac/path. The hmac should be verified from hmac(key, timestamp+path), so that different images generate different hmacs. The target server can then decide whether the timestamp is young enough to originate from a redirect.

You can further restrict that by putting the IP address of the client into the hmac, requring that the same client that received the URL is also resolving it. That may be error-prone, though, in the presence of HTTP proxies which process only http and not https or vice versa.


Независимо от того, разрешают ли RFC отправку http_referer или нет, вы обнаружите, что многие веб-клиенты и / или прокси-серверы или другие связанные с конфиденциальностью шлюзы между ним и сервером будут удалять или подделать http_referer в заголовке, разрывая большую часть основанной на http_referer схемы «аутентификации» в лучшем случае частично функциональной.

Если вы сотрудничаете с хранителем первого https-сервера, вы можете договориться о передаче хэш-кода на основе time + something_else в запросах к вашему серверу. Проверив хэш-код на своей стороне, вы узнаете, что ваш https-посетитель пришел с другого сервера [совсем недавно].


If you've got no control over the referring site you are out of luck.

Sniff the referrer if you can, and if it's not present throw up a landing page that says "click here go to site A so you can come back here".

Additionally, spend some time working on a more robust method of accessing your 'secure' site.

  • That’s my problem, the fact that the referrer is not present when someone arrives from site A. I need that “go to site A” error to show up for everyone else.

    As for accessing the site, site A directs people to my login page. They can’t do much without a login other than admire the work of my graphic designers.

    BlueRonin08 сентября 2009, 12:07