Forum Discussion
vaibhav
Cirrostratus
CirrostratusReferer header is not reaching to the webservers
The problem Scenario is, we have to block any external request to a web server unless it’s a 302 redirect request from our App server. While trying to achieve it we refer...
hoolioCirrostratus
CirrostratusMike, that solution is for how to configure a monitor. I think vaibhav is concerned about the load balanced traffic.
vaibhav, LTM shouldn't modify the referer header or any other HTTP header in requests unless you specifically configure an iRule to do so. Can you use a browser plugin like HttpFox or Fiddler to test this and see if the client is sending a Referer header in requests?
Is the redirect being sent from HTTPS to an HTTP URL? If so, most browsers will not send the Referer header as a security precaution. Also, keep in mind it is very simple for a malicious client to insert any HTTP header name/value they want. So the referer header is not a secure method for restricting access. Here are a few ways you could spoof the Referer header:
http://tamperdata.mozdev.org/
https://addons.mozilla.org/en-US/firefox/addon/refspoof/
http://referer.us/Spoof-HTTP-Referer.html
http://stackoverflow.com/questions/3104647/how-to-spoof-http-referer
If you want to ensure a client has come from one site it would be better to use an encrypted token in the URL (or cookie if the two URLs are on the same domain) which could be verified.
Aaron