For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KD_48848's avatar
KD_48848
Icon for Nimbostratus rankNimbostratus
Sep 10, 2008

iRule to match http referer to be Null

Currently www.abc.com/login.html is getting redirected to www.abc.com/private/login.html as per the code.     www.abc.com/private/login.html has header referer enabled and set is to www.abc...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 10, 2008
Hi,

 

 

I'm pretty sure that the server cannot influence what the client's browser sets as the referer header in requests. The browser generates the referer header value based on the link that the client accessed to generate the current request. Check RFC 2616 section 14.36 for details.

 

 

As the referer header and any other unencrypted HTTP header can be arbitrarily set by a malicious user, it's not a great idea to depend on this for access control. It would be much more secure to fix the application's authentication/authorization or potentially set an encrypted cookie when a client logs in and validate that on subsequent requests.

 

 

Aaron