![[ t ]](/images/structural/icon_twitter.gif){kind=icon}
HTTP Referer Security Considerations
HTTP/1.1: Security Considerations: Regarding my earlier post about the Outlook Web Access privacy issue, here’s what I found about HTTP Referer headers in the HTTP 1.1 spec (RFC 2616):
Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.
That would be a great feature, but as far as I know, no browser offers this.
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
This may mitigate some of the problem with Outlook Web Access, because a lot of those systems will be using SSL.
Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead.
Another good point, which I mentioned in my earlier post.
What This Links To
Outlook Web Access Privacy Hole
Here's something a little scary for anyone who uses Outlook Web Access. Watch out for the links you click in emails, because your browser may send a whole lot of information about you in the HTTP Referer header. Browsing through my log files the other day, I found this as…
Comments
The Opera browser can toggle referrer logging very easily.
"That would be a great feature, but as far as I know, no browser offers this."
The Opera browser has exactly this kind of feature. You can download a free version at http://www.opera.no and choose to disable referer logging (file -> preferences or file -> quick preferences) ;)
Hi, people!! Great new site about shaved teen! The youngest, freshest and hardest porn for FREE! Updates Everyday! girls shaved sleeping Best porno pics and video !!! All category, millions movies and photos !!!
Pity Opera is a generally shitty browser...
Add Comment
- Island Inkjet by Kathy Porcher, 1 day, 9 hours ago
- In 1998, Bill Gates was an A-Hole by Mark, 1 day, 9 hours ago
- Island Inkjet by Kathy Porcher, 1 day, 9 hours ago
- Island Inkjet by Anonymous, 1 day, 9 hours ago
- Live-Shot dot com by John Jacson, 1 day, 22 hours ago
- Show 5 more »
- CNN's "Hologram" by Deane in 2008
- CNN's Video Irritates Me by Deane in 2008
- USA Today Gets Serious About Blogs by Deane in 2005
- Grokster Goes Bye Bye by Deane in 2005
- Ten Ways Gadget Companies Can Make Us Happy by Deane in 2005
- Show 8 more »