0

I have a section of my web site that I only want reachable from another portion of my web site. I know that referer spoofing is trivially easy. But, if all requests from an incorrect referrer are met with 303 redirects to an index page, is there any way for the client to determine that the referrer is the criteria on which they are being denied, or even that there is anything for them to be denied from?

In other words, could this be sufficient protection from bots or individuals without a specific target in mind? I realize this qualifies as security through obscurity, but in this case I'm not expecting targeted attacks, and I don't see how you would discover it from outside.

If it makes any difference, the redirect is being sent by nginx.

TBridges42
  • 223
  • 2
  • 10

1 Answers1

2

Referer restrictions are common enough that it's one of the first things an attacker will guess when trying to figure out why they entered one URL and got a different one, especially if they know the URL is supposed to work (say, because a friend sent them the link).

No, there is no way to know that an incorrect referer is the cause of the redirect, but it's easy to guess.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • That was a good answer to my question, but I suppose the follow up is, is it good enough for a small server whose entire intended audience is my immediate family? No anticipated link sharing, no linkbacks? I could be wrong, but I only anticipate attacks from bots and people that are really, really bored. – TBridges42 Jun 28 '14 at 21:04
  • Probably good enough, though you might want to look into [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) if you want to password-protect it. – Mark Jun 28 '14 at 21:15
  • The problem is that I have multiple services (media center, home automation, sabnzbd). I'm trying to give them a more unified interface, and I don't know enough Python yet to get them all to use the same authentication check. In the meantime, I'm bouncing all requests to them to a php-based authentication page. – TBridges42 Jun 29 '14 at 16:50