Some good advice there, Gareth. [EMAIL PROTECTED] wrote: > > Another useful tip for securing OpenID servers is to use referrer > checking, now you might think that this is useless because the > referrer can be faked. However in javascript it is more difficult > for a hacker to fake the referrer header, as headers can't be > easily sent with form posts so referrer checking can actually > increase the security of your server and prevent some CSRF. >
Be careful when using referrer checking, though. Many people use filtering proxies or other similar software which blocks the Referer header or alters it in some way. Behavior I've observed for such software is often one of: * Don't send the Referer header at all. * Set the Referer to be whatever URL is being requested. * Set the Referer to be the root of the site to which the request is being sent. So if you're going to do referrer checking, it's best to firstly limit your checking to only ensuring that the hostname portion of the URL is correct, and also to allow the request through if the Referer header is completely absent. That will cover you for all of the above odd-ball cases without reducing the advantages of the referrer checking. _______________________________________________ security mailing list [EMAIL PROTECTED] http://openid.net/mailman/listinfo/security
