Referer spoofing

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Referer spoofing" – news · newspapers · books · scholar · JSTOR (March 2008) (Learn how and when to remove this message)

In HTTP networking, typically on the World Wide Web, referrer spoofing (also sometimes spelled "referer spoofing", after a canonized misspelling) is the sending of incorrect referrer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.

Referrer spoofing is typically done for data privacy reasons, in testing, or in order to request information which some web servers may only supply in response to requests with specific HTTP referrers.

To improve their privacy, individual browser users may replace accurate referrer data with inaccurate data, though many simply suppress their browser's sending of any referrer data. Sending no referrer information is not technically spoofing, though sometimes also described as such. Users may also modify other HTTP headers.^[1]

In software, systems and networks testing,^[2] referrer spoofing is often just part of a larger procedure of transmitting both accurate and inaccurate and both expected and unexpected input to the HTTPD system being tested and observing the results.

While many web sites are configured to gather referrer information and serve different content depending on the referrer information obtained, exclusively relying on HTTP referrer information for authentication and authorization purposes is not a genuine state of the art computer security measure, and has been described as snake oil security.^[3] HTTP referrer information is freely alterable and interceptable, and is not a password, though some poorly configured systems treat it as such. Nevertheless, it is sometimes contended^{[by whom?]} that referrer spoofing was not legitimate and/or constituted unauthorized access. As a vast majority of users don't change defaults, referrer protection is useful regardless of the few (rebellious) who have the knowledge of how to break it.

Some websites, especially many image hosting sites, utilize referrer information to secure their materials: only browsers arriving from their web pages are served images. Additionally a site may want users to click through pages with advertising content before directly being able to access a downloadable file - using the referring page or referring site information can help a site redirect unauthorized users to the landing page the site would like to use.

If attackers acquire knowledge of these approved referrers, which is often trivial because many sites follow a common template,^{[citation needed]} they can use that information combined with this exploit to gain free access to the materials.

Spoofing often allows access to a site's content where the site's web server is configured to block browsers that do not send referrer headers. Website owners may do this to disallow hotlinking.

It can also be used to defeat referrer checking controls that are used to mitigate Cross-Site Request Forgery attacks.

Several software tools exist to facilitate referrer spoofing in web browsers. Some are extensions to popular browsers such as Mozilla Firefox or Internet Explorer, which may provide facilities to customise and manage referrer URLs for each website the user visits.

Other tools include proxy servers, to which an individual configures their browser to send all HTTP requests. The proxy then forwards different headers to the intended website, usually removing or modifying the referrer header. Such proxies may also present privacy issues for users, as they may log the user's activity.

• Referrer spam