HTTP_REFERER isn’t reliable, its value is dependent on the HTTP
Referer header sent by the browser or client application to the server and therefore can’t be trusted because it can be manipulated.
Referer header, section 15.1.2 of RFC2616 states:
Therefore, applications SHOULD supply
as much control over this information
as possible to the provider of that
We suggest, though do not require,
that a convenient toggle interface be
provided for the user to enable or
disable the sending of From and
Many online privacy tools mangle this value and many browsers such as FireFox have for a long time permitted users to prevent this header being sent. So in a nutshell, I wouldn’t rely on it for any serious purpose. For example, securing forms so that drive-by spammers can’t post values, because the
Referer can be spoofed.
For further reading see:
Using referer field for authentication or authorization (WayBackMachine)