HTTP Referer Validation

HTTP Referer validation (also known as "Referer Check") is a common web security measure. Its principle is that the backend server checks the Referer field in the request header when receiving a request to determine whether the request source is a trusted domain or page.

Basic Principle

When the client (browser) initiates an HTTP request, it includes a Referer in the request header, indicating the source page address of the request.
After the server receives the request, it reads the Referer and determines whether it is from a trusted source.
If the Referer does not meet the requirements, the request is rejected or an error is returned.

Common Scenarios

Source validation for sensitive operations such as form submission and API calls
Preventing CSRF attacks
Anti-leeching (e.g., allowing image or video resources to be accessed only from the same domain)

Notes

Not all requests include a Referer (e.g., direct URL input, certain browser privacy modes, HTTPS to HTTP)
The Referer can be easily forged and should not be used as the sole security measure; it should only serve as a supplement
It is recommended to combine with multiple measures such as CSRF Token and Cookie validation

Usage

yaml Configuration

security:
  HttpReferer: # Referer Interceptor
    globalCheck: false # Global check
    enabled: true
    allowedReferrers:
      - https://example.com
      - https://another-example.com
      - https://my-site.com

Interceptor Validation

Add the @HttpRefererCheck annotation to the interface in use:

@GetMapping("/HttpRefererCheck")
@HttpRefererCheck
int HttpRefererCheck();

HTTP Web Security

General Web Validation

Captcha Mechanism

HTTP Standard Authentication

API Features