Using PHP to forge Referer using referer to prevent pictures hotlinking _php instances

Source: Internet
Author: User
Tags curl

What is HTTP Referer
In short, HTTP Referer is part of the header, and when the browser sends a request to the Web server, it usually takes a referer to tell the server where I came from, and the server can get some information for processing. For example, from my home page to link to a friend there, his server can be from the HTTP Referer to count the number of users per day to click on my home page links to visit his site.
Referer in fact should be the English word referrer, but misspelled too many people, so the people who write standards are mistake.
My question.
I have just changed the feed reader to Gregarius, but he is not like I used to Liferea, visit Sina Blog, can not show the picture, hint "This picture is limited to Sina Blog user communication and communication", I know, this is the result of HTTP Referer.
Because I am the particularity of the Internet client configuration, the first suspicion is squid problem, but through the experiment ruled out, but at the same time found a squid and Tor, Privoxy collaborative use of privacy disclosure problem, left to study later.
Can Gregarius handle the problem?
The answer is no, because Gregarius is only responsible for outputting HTML code, and access to the image is requested by the client browser to the server.
However, installing a Firefox extension may solve the problem, the recommended "Send referrer" I did not find, but found another available: "Refcontrol", according to the different access to the site, control the use of different referer.
But I don't like to use Firefox extensions to solve problems, because I think he is too inefficient, so I--privoxy in a better way.
Privoxy's great.
Add two lines to the Privoxy default.action:
So the picture of Sina blog in Gregarius is out? +hide-referrer is a privoxy filter that sets the way to handle HTTP referer when accessing, and the Forge Representative uses the access address as the refere, and can also be replaced with block, which represents the cancellation of Referer, Or write the Referer URL that you want to use here.
Using Privoxy is much simpler than using Firefox, so change it quickly.
I also found that when I accessed a link from an HTTPS page to an unencrypted HTTP page, I couldn't check the HTTP referer on the HTTP page, for example, when I clicked the WWW XHTML verification icon below my HTTPS page (URL is http://, never complete the checksum, prompting:
No Referer Header found!
Originally, it is defined in the RFC document of the HTTP protocol:

Copy Code code as follows:

15.1.3 Encoding sensitive information in URI ' s

Clients SHOULD not include a Referer header field in a (non-secure)
HTTP request if the referring page is transferred with a secure

This is for security reasons, when access to unencrypted pages, if the source is an encrypted page, the client does not send Referer,ie has always been so implemented, Firefox browser is no exception. However, this does not affect access from encrypted pages to encrypted pages.
Firefox about referer settings
All in, there are two key values:
Network.http.sendRefererHeader (default=2) Set referer send mode, 0 for completely do not send, 1 for only click on the link to send, in the page to access the image of what the time does not send, 2 to always send. See Privacy Tip #3: Block Referer Headers in Firefox
Network.http.sendSecureXSiteReferrer (default=true) setting whether to send referer,true to send when accessing another encrypted page from an encrypted page, false to not send.

Use Referer to prevent picture hotlinking

Although Referer is not reliable, but to prevent the picture hotlinking is enough, after all, not everyone will modify the configuration of the client. Implementation is generally through the Apache configuration file, first set to allow access to the address, marked down:
# only allow access from, the picture may be placed on the page of the site
Setenvifnocase Referer "^" Local_ref
# Direct access via address
Setenvif Referer "^$" Local_ref
It then stipulates that the access marked is allowed:

Copy Code code as follows:

<filesmatch ". (gif|jpg) ">
Order Allow,deny
Allow from Env=local_ref


Copy Code code as follows:

Order Deny,allow
Deny from all
Allow from Env=local_ref

don't use rerferer places.

Don't use Rerferer for authentication or other very important checks, because Rerferer is very easy to change on the client, either through the Firefox extensions described above, or privoxy, or even libcurl calls, So the rerferer data is incredibly unreliable.
If you want to limit the user's access to an entry page, instead of using Referer, use session, write sessions on the entry page, and then check on other pages, and if the user does not have access to the entry page, then the corresponding conversation does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "validation" results.
Personal feeling now rerferer in addition to use in the Anti-Theft chain, the most other uses is access statistics, such as statistics users are from where the link to visit and so on.

Http-referer This variable has become increasingly unreliable, is completely can be forged out of the Dongdong.
The following is a forgery method:

PHP (provided the curl is installed):

Copy Code code as follows:

$ch = Curl_init ();
curl_setopt ($ch, Curlopt_url, "");
curl_setopt ($ch, Curlopt_referer, "");
Curl_exec ($ch);
Curl_close ($ch);

PHP (not installed curl with sock)
$server = ' ';
$host = ' ';
$target = '/xxx.asp ';
$referer = ''; Referer
$port = 80;
$fp = Fsockopen ($server, $port, $errno, $errstr, 30);
if (! $fp)
echo "$errstr ($errno) <br/>\n";
$out = "Get $target http/1.1\r\n";
$out. = "Host: $host \ r \ n";
$out. = "cookie:aspsessionidsqtbqsda=dfcapklbbficdafmhnkigkeg\r\n";
$out. = "Referer: $referer \ r \ n";
$out. = "connection:close\r\n\r\n";
Fwrite ($fp, $out);
while (!feof ($FP))
Echo fgets ($FP, 128);
Fclose ($FP);

Xmlhttp.setrequestheader ("Referer", "Http://URL");/hehe ~ fake ~


JS does not support ^_^

Principle is sock construct HTTP headers to SendData. Other languages, such as Perl, can also be used, and
the simpler way to defend against forgery is to use a CAPTCHA (session) for Referer.
Now there are some commercial companies that can use anti-theft chain software, such as Uudog,linkgate,virtualwall or something, are developed to apply to IIS above the DLL. Some of the
cookies are validated, thread-controlled, some can randomly generate file names and do URL rewriting. Some methods can indeed achieve a good result.
But while, outsmart, these tricks are ultimately cracked methods.
is generally the case, but the server is not good to achieve forgery, can only make a few data, if you can achieve access to the Web page can be forged, it can achieve real forgery, the realization of natural IP distribution.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.