Heading in the Right Direction
HTTP headers have a complicated relationship with Web security. They can be easily spoofed and represent yet another vector for attacks such as XSS, SQL injection, and even application logic attacks. Nevertheless, headers will provide CSRF mitigation in many circumstances. The point of these steps is reducing the risk by removing some of the attacker's strategies for attack, not blocking all possible scenarios.
Referer[A]
A This header name was misspelled in the original HTTP/1.0 standard (RFC 1945), which was published in 1996. The prevalence of Web servers and browsers expecting this misspelling likely ensures that it will remain so for a very long time.
Web developers have been warned to ignore the Referer ...
Get Seven Deadliest Web Application Attacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
