Referer Header

The Referer request header contains the address of the page making the request.

The Referer header allows servers to identify where people are visiting them from.

May use that data for analytics, logging, or optimized caching.
Sometimes used for access control.

Fully user controllable.

First hit: No Referer

GET https://elearning.ua.pt/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Cookie: _ga_RWZB1HRVYE=GS1.1.1605202432.1.1.1605202861.0; _ga=GA1.1.857190253.1605202434;
_gid=GA1.2.1334581424.1605202436; _hjTLDTest=1; _hjid=25f0d0c2-0616-4e02-86b2-ba6a336f5a99;
_hjFirstSeen=1; _hjAbsoluteSessionInProgress=0
Upgrade-Insecure-Requests: 1
Host: elearning.ua.pt

Subsequent request

GET https://elearning.ua.pt/theme/adaptable/style/print.css HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://elearning.ua.pt/
Cookie: _ga_RWZB1HRVYE=GS1.1.1605202432.1.1.1605202861.0; _ga=GA1.1.857190253.1605202434;
_gid=GA1.2.1334581424.1605202436; _hjTLDTest=1; _hjid=25f0d0c2-0616-4e02-86b2-ba6a336f5a99;
_hjFirstSeen=1; _hjAbsoluteSessionInProgress=0; MoodleSession=bcsqms7e7h324mmv1s46favccl
Host: elearning.ua.pt

Expected meaning:

User accessing /internal/private.html, and came from /loggedin therefore it was authenticated.

In reality:

The 'Referer' header MAY be set by the browser.
Was meant for origin authentication, but is used for authorization.
Falls in the TOCTOU: Time-of-check time-of-use.

Last updated 1 year ago