Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m curious as to the difference of denying access using the global $_server['http_referer'] and using .htaccess with deny from all/allow from ip
Are both bypassable in the same way or is .htaccess a secure way to stop access based on the referer?
Kind regards,
$_SERVER['HTTP_REFERER']is easy to spoof so depending on that for anything non-trivial is not a good idea.Using .htaccess with
deny from all/allow from ipis better is better because it restricts access to a list of IPs you specify. But this starts to fail if you allow entire blocks access to your site. Then this can be defeated easily by using a proxy.So neither is going to be a perfect solution to keeping someone out of your website.
update
Based on your comment you should consider an authentication method that only the referring sites and you know about. Basically they should be passing you a hash that is created from secret values that change per request. That way they can’t be spoofed and you can verify with certainty that the request is legitimate.