Use php to forge referer and use referer to prevent image leeching

Source: Internet
Author: User

What is HTTP Referer?
In short, HTTP Referer is part of the header. When a browser sends a request to a web server, it usually carries a Referer to tell the server from which page the link is sent, the server obtains some information for processing. For example, if a user is linked to a friend on my homepage, his server can calculate from HTTP Referer how many users click the link on my homepage to access his website every day.
The Referer should be an English word Referrer, but there are too many people who misspelled the Referer, so the people who write the standard will be wrong.
My questions
I just changed the feed reader to Gregarius, but unlike the liferea I used earlier, the images in the feed reader cannot be displayed when I access the Sina Blog, the message "this image is only for Sina Blog user communication and communication" is displayed. I know that this is caused by HTTP Referer.
Due to the special configuration of the client on the internet, I first suspect that squid is a problem, but I have ruled out it through experiments. However, I also found a problem of privacy leakage that Squid and Tor and Privoxy work together, for future studies.
Can Gregarius handle this problem?
The answer is no, because Gregarius is only responsible for outputting html code, and accessing images is requested by a client browser to the server.
However, installing a firefox extension may solve the problem. I did not find the "Send Referrer" recommended in this article, but found another available one: "RefControl", which may vary depending on the Website access, different referers are used for control.
But I don't like using Firefox extensions to solve the problem, because I think it is too inefficient, so I use a better method-Privoxy.
Privoxy is awesome.
Add two rows in default. action of Privoxy:
{+ Hide-referrer {forge }}
In this way, will the pictures of Sina Blog In Gregarius come out? + Hide-referrer is a Privoxy filter. It sets the HTTP Referer processing method during access. The subsequent forge indicates that the access address is used as the Refere and can be replaced with a block to cancel the Referer, or you can directly write the Referer URL you want to use here.
Privoxy is much easier than Firefox.
From https to http
I also found that when I access an unencrypted http page from a link on an https page, the http Referer cannot be found on the HTTP page, for example, when I click the w3c xhtml validation icon under my own https page (the URL is Uri = referer). The verification is never completed. The following message is displayed:
No Referer header found!
Originally, it was defined in the rfc document of the http protocol:
Copy codeThe Code is as follows:
15.1.3 Encoding Sensitive Information in URI's

Clients shocould NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure

This is for security reasons. when accessing a non-encrypted page, if the source is an encrypted page and the client does not send Referer, IE is always implemented in this way, and Firefox is no exception. However, this does not affect access from encrypted pages to encrypted pages.
Referer settings in Firefox
There are two key values:
Network. http. sendRefererHeader (default = 2) sets the Referer sending method. If the value 0 is not sent at all, the value 1 is sent only when a link is clicked, and the value 0 is not sent when an image or something is accessed on the page, 2: Always send. See Privacy Tip #3: Block Referer Headers in Firefox
Network. http. sendSecureXSiteReferrer (default = true) sets whether to send a Referer when accessing another encrypted page from one encrypted page. true indicates sending, and false indicates not sending.

Use Referer to prevent image leeching

Although Referer is not reliable, it is enough to prevent image leeching. After all, not everyone will modify the client configuration. Generally, the configuration file of apache is used. First, set the allowed access address and mark it as follows:
# Only access from is allowed, and images may be placed on the page of the website.
SetEnvIfNoCase Referer "^" local_ref
# Access through an address directly
SetEnvIf Referer "^ $" local_ref
Then, the marked access is allowed:

Copy codeThe Code is as follows:
<FilesMatch ". (gif | jpg)">
Order Allow, Deny
Allow from env = local_ref


Copy codeThe Code is as follows:
Order Deny, Allow
Deny from all
Allow from env = local_ref

Do not use Rerferer

Do not use Rerferer for authentication or other important checks, because Rerferer is very easy to be changed on the client, whether through the Firefox extension, Privoxy, or even libcurl call described above, therefore, Rerferer data is very untrusted.
If you want to restrict user access from a certain portal page, instead of using Referer, you should use session, write session on the portal page, and then check on other pages, if the user has not accessed the portal page, the corresponding session does not exist. See the discussion here. However, as mentioned above, do not trust the "Verification" result of this method too much.
I personally think that in addition to anti-leeching, Rerferer is used for access statistics. For example, it is used to collect statistics on the access links where users access the resources.

HTTP-REFERER this variable has become increasingly unreliable, completely can be forged out of the east.
Here are the forgery methods:

PHP (provided that curl is installed ):
Copy codeThe Code is as follows:
$ Ch = curl_init ();
Curl_setopt ($ ch, CURLOPT_URL, " ");
Curl_setopt ($ ch, CURLOPT_REFERER, " /");
Curl_exec ($ ch );
Curl_close ($ ch );

PHP (use sock instead of curl)
$ Server = 'www ';
$ Host = 'www ';
$ Target = '/xxx. asp ';
$ Referer = 'HTTP: //'; // Referer
$ Port = 80;
$ Fp = fsockopen ($ server, $ port, $ errno, $ errstr, 30 );
If (! $ Fp)
Echo "$ errstr ($ errno) <br/> \ n ";
$ Out = "GET $ target HTTP/1.1 \ r \ n ";
$ Out. = "Host: $ host \ r \ n ";
$ Out. = "Referer: $ referer \ r \ n ";
$ Out. = "Connection: Close \ r \ n ";
Fwrite ($ fp, $ out );
While (! Feof ($ fp ))
Echo fgets ($ fp, 128 );
Fclose ($ fp );

XmlHttp. setRequestHeader ("Referer", "http: // URL"); // ha ~ Fake ~

JS does not support ipv_^

The principle is that sock constructs an http header to senddata. Other languages, such as perl, can also be used,
Currently, the simple method to defend against referer forgery is to use a verification code (Session ).
Some commercial companies that can use anti-leech software, such as UUDOG, linkgate, and VirtualWall, are all developed to apply the dll on IIS.
Some use cookies for verification and thread control, and some can randomly generate file names and then rewrite URLs. Some methods can indeed achieve good results.
However, the magic of these artifact will eventually be cracked.
Generally, this is the case, but it is difficult for the server to implement forgery. It can only create a small amount of data. If you can access the web page and forge it, You can implement real forgery, realize the distribution of natural IP addresses.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.