Project

General

Profile

HTTP referer validation

Added by danzimal over 5 years ago

We have lighttpd server installations for which the $HTTP["referer"] should always be sourced from the $HTTP["host"].

It appears that the conditional configuration for the code module supports the syntax of;
<field> <operator> <value> where the <value> is either a quoted ("") literal string or regular expression.

This prevents a conditional something like;

$HTTP["referer"] !~ "(^https*//)" + $HTTP["host"] {
  url.access-deny = ( "" )
}

Any idea's how one might implement such rule?


Replies (3)

RE: HTTP referer validation - Added by stbuehler over 5 years ago

Some (browser) privacy extensions disable the Referer header completely, not just for foreign domains, so please don't do that.

Also I think such magic can only be implemented through mod_magnet (or in a dynamic backend of your choice of course).

RE: HTTP referer validation - Added by danzimal over 5 years ago

Understood!

How about changing the default from no-referrer-when-downgrade to simply no-referer?

Request URL: http://10.85.231.85/htdocs/pages/base/sys_description.lsp
Request Method: GET
Status Code: 200 OK
Remote Address: 10.85.231.85:80
Referrer Policy: no-referrer-when-downgrade

RE: HTTP referer validation - Added by danzimal over 5 years ago

I was able to set it via the conf file response-header.

"Referrer-Policy" => "no-referrer"
Request Method: GET
Status Code: 200 OK
Remote Address: 10.85.231.85:80
Referrer Policy: no-referrer
    (1-3/3)