is $_SERVER['HTTP_REFERER'] safe?

Question

I\'m using $_SERVER[\'HTTP_REFERER\'] to generate a dynamic back link.

\">Return to..blah         


        

Answer 1

It may be safe, but it is not reliable: due to the HTTP spec, HTTP_REFERER is optional (some clients don't send this header at all, and some "security" software strips this out from any HTTP request), and there are numerous ways to modify this header. Some browsers send the referring page, some send a blank string, some don't send this at all, some may send bogus data, some may send Aunt Matilda; and moreover, you can't tell whether you're getting valid data in this header or not.

So, no, I would never trust that HTTP_REFERER contains the previous page, and neither should you.