HTTP Referer Trivia

The Horizon OPAC (HIP) does some weird things with HTTP referer headers, such that I had to get to the bottom of HTTP referer behavior to debug some hacks I was trying to do to HIP. Discovered some things I had never had occasion to discover before, related to HTTP Referer and redirects.

1. If a web server sends a 3xx redirect header, the browser will request the redirected-to content, keeping the original referer. The referer header is not changed to the redirecting URI.  This is true for all 3xx redirect status codes.

2. If a browser requests a URI using a secure (https:) connection, and is redirected to a non-secure (http:) connection, the browser will not send any referer header when requesting the redirected-to URI. Blanks it out. This is actually in the HTTP specification.  I kind of see why put this in the spec, but it’s kind of weird.  Note that the referer is not blanked with a redirection to an entirely different server that is https, only to any server that is http.

Keep in mind, of course, that ‘security’ relying on HTTP referer headers is never secure. An attacker can easily fake a referer header.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s