php - Preventing cURL Referrer spoofing

Question

We received PHP code from a developer with a web-stats script that relies solely on $_SERVER['HTTP_REFERER']. With cURL, you can easily fake it as follows:

curl_setopt($curl, CURLOPT_REFERER, "client website");

and I'm looking for a way to prevent it. This can even be done by the client website as well, to have higher stats. I'm looking for a way to prevent this spoofing. Is this possible at all? If so, how can this be achieved?

Answer 1

No, there's no definitive way of determing the URL Referrer.

As per the HTTP spec, HTTP_REFERER is optional. Some firewall packages strip these out by default, some clients don't send the referer value, and and there are numerous ways (like the one you showed in the question) to modify this value.

In short, the HTTP_REFERER value cannot be trusted. There will always be some way to modify these values. This is mentioned in the PHP manual documentation for $_SERVER (emphasis mine):

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

To answer your question: no, there is no way to prevent HTTP_REFERER value being altered. I'd suggest you double-check the value before using it (optionally, apply htmlspecialchars() on it to prevent injection) or don't use it at all. Unfortunately, it is a "take it or go home" deal.