Using PHP to forge referer methods referer Prevent pictures hotlinking _php Tutorial

Source: Internet
Author: User
What is HTTP Referer
In short, the HTTP Referer is part of the header, and when the browser sends the request to the Web server, it usually takes referer to tell the server which page link I took from, and the server can get some information for processing. For example, if you link to a friend from my home page, his server will be able to count the number of users who click on the link on my page to visit his website from HTTP Referer.
Referer in fact should be the English word referrer, but there are too many misspelled people, so the people who write the standard will wrong.
My question
I have just changed the feed reader to Gregarius, but he did not like my previous use of Liferea, when visiting Sina Blog, unable to display the pictures, "This image is limited to Sina Blog user communication and communication", I know, this is the HTTP referer caused.
Due to the particularity of my Internet client configuration, it was first suspected that squid was a problem, but it was ruled out by experiments, but at the same time found a privacy leak with squid and Tor, Privoxy, to be researched later.
Can gregarius deal with this problem?
The answer is no, because Gregarius is only responsible for outputting HTML code, while access to the image is requested by the client browser to the server.
However, the installation of a Firefox extension may solve the problem, the article recommended "Send Referrer" I did not find, but found another available: "Refcontrol", according to the different access to the site, control the use of different referer.
But I do not like to use the Firefox extension to solve the problem, because I think he is too inefficient, so I--privoxy in a better way.
Privoxy's awesome.
Add two lines to the default.action in Privoxy:
So gregarius in the Sina blog image is out of it? +hide-referrer is a privoxy filter, set the access to the HTTP Referer processing, the following forge representative with the access address as refere, but also can be replaced by block, on behalf of the cancellation of Referer, Or just write the referer URL you want to use here.
Use Privoxy more simple than with Firefox, quickly change it.
I also found that when accessing a non-encrypted HTTP page from a link on an HTTPS page, the HTTP Referer was not checked on the HTTP page, such as when I clicked on my HTTPS page under the Web-based XHTML verification icon (HTTP//, can never complete the verification, prompt:
No Referer Header found!
Originally, there are definitions in the RFC documentation for the HTTP protocol:
Copy CodeThe code is as follows:
15.1.3 Encoding sensitive information in URI ' s

Clients should not include a Referer header field in a (non-secure)
HTTP request if the referring page is transferred with a secure

This is for security reasons, when accessing a non-encrypted page, if the source is an encrypted page, the client does not send Referer,ie has always been implemented, Firefox browser is no exception. However, this does not affect access from encrypted pages to encrypted pages.
Settings for Referer in Firefox
All in, there are two key values:
Network.http.sendRefererHeader (default=2) Set Referer send method, 0 is not sent at all, 1 is only when the link is clicked, when the image in the access page is not sent, 2 is always sent. See Privacy Tip #3: Block Referer Headers in Firefox
Network.http.sendSecureXSiteReferrer (default=true) sets whether to send referer,true for sending when accessing another encrypted page from an encrypted page, false to not send.

Use Referer to prevent picture hotlinking

Although Referer is not reliable, it is enough to prevent the picture from hotlinking, after all, not everyone will modify the configuration of the client. The implementation is generally through the Apache configuration file, first set the allowed access to the address, marked down:
# only allow access from, the picture may be placed on the page of the website
Setenvifnocase Referer "^" Local_ref
# Direct access via address
Setenvif Referer "^$" Local_ref
The marked access is then allowed:

Copy the Code code as follows:

Order Allow,deny
Allow from Env=local_ref


Copy the Code code as follows:

Order Deny,allow
Deny from all
Allow from Env=local_ref

Do not use the Rerferer place

Do not use Rerferer for authentication or other very important checks, because Rerferer is very easy to change on the client, either through the Firefox extensions described above, or privoxy, or even libcurl calls, So the rerferer data is very unreliable.
If you want to restrict the user from having access to a portal page, instead of using Referer, use the session, write to the session on the portal page, and then check on the other pages, if the user has not visited the portal page, then the corresponding session does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "verification" results.
Personal feeling now rerferer in addition to the use of anti-theft chain, other uses of the most is to access statistics, such as the statistics users are from where the link access to come and so on.

Http-referer This variable has become more and more unreliable, is completely can be forged out of the stuff.
The following are the forgery methods:

PHP (provided that curl is installed):
Copy the Code code as follows:
$ch = Curl_init ();
curl_setopt ($ch, Curlopt_url, "");
curl_setopt ($ch, Curlopt_referer, "");
Curl_exec ($ch);
Curl_close ($ch);

PHP (does not pack curl with sock)
$server = ' ';
$host = ' ';
$target = '/xxx.asp ';
$referer = ''; Referer
$port = 80;
$fp = Fsockopen ($server, $port, $errno, $errstr, 30);
if (! $fp)
echo "$errstr ($errno)
\ n ";
$out = "GET $target http/1.1\r\n";
$out. = "Host: $host \ r \ n";
$out. = "cookie:aspsessionidsqtbqsda=dfcapklbbficdafmhnkigkeg\r\n";
$out. = "Referer: $referer \ r \ n";
$out. = "connection:close\r\n\r\n";
Fwrite ($fp, $out);
while (!feof ($FP))
Echo fgets ($FP, 128);
Fclose ($FP);

Xmlhttp.setrequestheader ("Referer", "Http://URL");//hehe ~ fake ~

JS does not support ^_^

The principle is sock constructs the HTTP header to SendData. Other languages such as Perl are also available,
At present, the relatively simple method of defending forgery Referer is to use the verification Code (Session).
Now there are some commercial companies that can be anti-theft chain software, such as Uudog,linkgate,virtualwall, are developed to apply to IIS above the DLL.
Some are the use of cookie authentication, thread control, some can randomly generate filenames and then do URL rewrite. Some methods can really achieve a good result.
But however persuasive, outsmart, these tricks eventually have a way to crack.
Generally this is the case, but the server is not a good implementation of forgery, can only produce a few data, if you can achieve access to the Web page can be forged, it can achieve a true forgery, the realization of natural IP distribution. true techarticle what is HTTP Referer in short, HTTP Referer is part of the header, and when the browser sends a request to the Web server, it usually takes Referer, telling the server which page I'm from ...

  • Related Article

    E-Commerce Solutions

    Leverage the same tools powering the Alibaba Ecosystem

    Learn more >

    Apsara Conference 2019

    The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

    Learn more >

    Alibaba Cloud Free Trial

    Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

    Learn more >

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.