How to enforce local referrers for images, stylesheets and scripts
9:48 am on Jun 18, 2010 (gmt 0)
Needing some help on this to pass a pen-test - any ideas?
4:10 am on Jul 18, 2010 (gmt 0)
Your question has been hanging around here for a while and I don't know if it is still relevant, but as I understand it, you want to make sure that calls for images, stylesheets and scripts all have a referrer from the same site as these files are located on. Is that a correct interpretation of the problem?
1:22 am on Jul 19, 2010 (gmt 0)
Enforcing local referrers might break things for those whose browsers are configured not to send the referrer or are using an an Anonymous proxy server. Just something to keep in mind.
8:01 am on Jul 19, 2010 (gmt 0)
Intranet (i.e. you control, or can control, the browser) or Internet (you don't)?
You can also set up session handling and start a session on the referring page that you check for before serving the protected file (you can also check that both requests have the same user agent string, IP addresses in the same block etc).