InformAction Forums

Like several others here, I use & recommend the RefControl addon for hiding/altering the Referer(sic) header.

However, a word of caution: do not set the default action to 'Forge'. This action will bypass any Referer checks on all servers, which may actually make you more vulnerable to CSRF attacks. Granted, checking Referer is not a reliable server-side defence, but many sites use it, and there's no point making them any weaker than they already are. A better default is 'Block', with 'Forge' being applied to specific sites that would otherwise break.

> Granted, checking Referer is not a reliable server-side defence, but many sites use it

Still?
In days of old a lot of porn sites used referrer checks to allow or not allow a user.
What a joke.
refspoof (2003 from the date of my copy, & look it's still there, but again different from mine) was a popular extension in those days .

I universally set mine to BLOCK and make exceptions to those that I know need it to work. However, although you are theoretically correct, its a very unlikely and small attack vector that is not effective in doing much. Rest at ease my friend.

Thanks, Thrawn and GµårÐïåñ. I've changed mine from Forge to Block. Good tip, guys.