HTTP referer validation
Added by danzimal over 6 years ago
We have lighttpd server installations for which the $HTTP["referer"] should always be sourced from the $HTTP["host"].
It appears that the conditional configuration for the code module supports the syntax of;
<field> <operator> <value> where the <value> is either a quoted ("") literal string or regular expression.
This prevents a conditional something like;
$HTTP["referer"] !~ "(^https*//)" + $HTTP["host"] {
url.access-deny = ( "" )
}
Any idea's how one might implement such rule?
Replies (3)
RE: HTTP referer validation - Added by stbuehler over 6 years ago
Some (browser) privacy extensions disable the Referer header completely, not just for foreign domains, so please don't do that.
Also I think such magic can only be implemented through mod_magnet (or in a dynamic backend of your choice of course).
RE: HTTP referer validation - Added by danzimal over 6 years ago
Understood!
How about changing the default from no-referrer-when-downgrade to simply no-referer?
Request URL: http://10.85.231.85/htdocs/pages/base/sys_description.lsp Request Method: GET Status Code: 200 OK Remote Address: 10.85.231.85:80 Referrer Policy: no-referrer-when-downgrade
RE: HTTP referer validation - Added by danzimal over 6 years ago
I was able to set it via the conf file response-header.
"Referrer-Policy" => "no-referrer"Request Method: GET Status Code: 200 OK Remote Address: 10.85.231.85:80 Referrer Policy: no-referrer