The Referer request header
protocol | HTTP Header |
type | Request Header |
Mozilla link | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer |
RFC | RFC2068 |
The Referer header is generated by the Client
Referer = "Referer" ":" ( absoluteURI | relativeURI )
The Referer header is
The Host header is not directly related or dependant on any other header, although it does work with the request field.
Example Referer headers.
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080219 Firefox/2.0.0.12 Navigator/9.0.0.6
User-Agent: Lynx/2.8.3rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.5a
User-Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaN95/10.0.018; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 UP.Link/6.3.0.0.0
Note that domain names and IP addresses are supported. It is also possible to specify a port number by using a colon (:) separator.
This header is often used by malware to take advantage of its application level routing functionality to redirect a request to an alternative destination, to surreptitiously gain access to a shared cache or to poison a shared cache. An interception proxy, such as HAProxy*, is more vulnerable than most as much of its processing is dependant on the analysis of the Host header, although little provision is made to allow headers to be verified, bound to IP addresses or the resource being requested.
*HAProxy is used in this example as a intercepting proxy. This is not saying HAProxy is insecure. It is important to ensure that any such software is correctly configured by competent resource.