0

I have a requirement from a client to check the referrer of the http request.If the referrer is from a particular list of websites, i will allow them to access to application other wise i have to direct them to a login page. Hope I'm clear with the requirement.

I have used httpRequest.getHeader("referrer") to get the referrer and The code is working fine when the communication is between two http clients. Now the sender applications is moved to https and my referrer is coming is null in receiver application as https(sender) doesn't send any header in request.

Now Can any one suggest me a good way to validate that the request is from a trusted source. I want to validate the referrer is a trusted source or not. Let me know if I'm missing anything here.

durron597
  • 31,968
  • 17
  • 99
  • 158
Swarup Reddy
  • 21
  • 4
  • 3
    **Never** use the referer header to determine whether whether or not you can trust a user. It can be injected at will using any number of browser plugins or standalone code. Also look at this: http://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding – nablex Oct 15 '14 at 05:57

1 Answers1

0

I don't know what application or http server you use, but I think good idea is using two way ssl authentification, this technology identify client and server certificates. You have to create server and client certificates and only trusted clients (wich certificates mark as trusted in your keystore) could get data.

P.S. Don't use self signed certificates

rpc1
  • 688
  • 10
  • 23