New Message: Re: Norton Internet Security and Firewalls

webmaster at userland.com webmaster at userland.com
Thu Nov 3 05:09:41 CST 2005


A new message was posted:

Address: http://manila.userland.com/discuss/msgReader$1453

By: Jake Savin (jake at userland.com)

/Will disabling referer checking mean opening up the hole that referer checking was intended to close?/

It will open it up. However, the fact is that the referer header is so easy to spoof (by simply adding it to the request), and spammers have become so sophisticated, that the check is all but obsolete these days anyway.

Ideally one would configure their firewall software to allow the referer header, at least for the server running Manila. The time that this is least likely to be possible is in an intranet environment, where an IT department determines the firewall rules and the user cannot override them. These cases are also the ones where the Manila server will likely not be accessible on the Internet at large, so disabling the referer check in this case will hopefully be relatively safe.

The ability to disable referer checking is primarily targeted towards these servers which are running in an Intranet-type environment, where exploits are not very likely.

This is a Manila site... http://manila.userland.com/.




More information about the Manila-Users mailing list