(!rant && user_input)

I have been pondering for the last couple of days on how to validate whether a referring http request is actually coming from the referrer it claims to come from. Any ideas on this?

Not all devices/browsers will give you that information. In the wild we see lots of iOs and Edge weirdness.

That being said, the standard effectively says that the header shouldnt be set when going from Https to Http.

https://tools.ietf.org/html/...

I hope i understood what you're trying to do.

@Blacula well yea but all I've come out at is pretty spoofable :(

@mclovinit sadly after all research I've done that is indeed the only conclusion, too bad though