<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
<title>AJ Security/HTTP Referer Validation</title>
<meta name="description" content="A Practical Java Web Security Library. HTTP Referer 校验(也称为“Referer 检查”)是一种常见的 Web 安全措施,其原理是:后端服务器在接收请求时检查请求头中的 Referer 字段,判断请求来源是否为信任的域名或页面。"/>
<meta name="keywords" content="security, xss, csrf, captcha, Referer"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="https://framework.ajaxjs.com/static/font/font.css" />
<link rel="stylesheet" href="/asset/main.css"/>
<link rel="icon" type="image/x-icon" href="https://framework.ajaxjs.com/aj-logo/logo.ico"/>
<script src="https://framework.ajaxjs.com/static/aj-docs/common.js"></script>
<script>
var userLang = navigator.language || navigator.userLanguage;
if (userLang.startsWith('zh') && location.pathname.indexOf('cn') == -1) {
confirm('欢迎!您可以改为访问中文内容。是否继续?') && location.assign('/cn');
}
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?950ba5ba1f1fe4906c3b4cf836080f03";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script>
</head>
<body>
<nav>
<div>
<div class="links">
<a href="/">🏠 Home</a>
| ⚙️ Source:
<a target="_blank" href="https://github.com/lightweight-component/aj-security">Github</a>/<a target="_blank" href="https://gitcode.com/lightweight-component/aj-security">Gitcode</a>
|
<a href="/cn">Chinese Version</a>
</div>
<h1><img src="https://framework.ajaxjs.com/aj-logo/logo.png" style="vertical-align: middle;height: 45px;margin-bottom: 6px;" /> AJ Security</h1>
<h3>User Manual</h3>
</div>
</nav>
<div>
<menu>
<ul>
<li class="selected">
<a href="/">Home</a>
</li>
<li>
<a href="/install">Installation & Configuration</a>
</li>
</ul>
<h3>HTTP Web Security</h3>
<ul>
<li>
<a href="/http/http-referer">HTTP Referer Validation</a>
</li>
<li>
<a href="/http/timestamp">Timestamp Encrypted Token Validation</a>
</li>
<li>
<a href="/http/paramssign">Parameter Signature</a>
</li>
<li>
<a href="/http/ip-list">IP Whitelist/Blacklist</a>
</li>
<li>
<a href="/http/nonrepeatsubmit">Prevent Duplicate Submission</a>
</li>
</ul>
<h3>General Web Validation</h3>
<ul>
<li>
<a href="/classic/xss">Prevent XSS Attacks</a>
</li>
<li>
<a href="/classic/crlf">Prevent CRLF Attacks</a>
</li>
</ul>
<h3>Captcha Mechanism</h3>
<ul>
<li><a href="/captcha/img-captcha">Image Captcha</a></li>
<li><a href="/captcha/google">Google-based Captcha</a></li>
<li><a href="/captcha/cf">CloudFlare-based Captcha</a></li>
</ul>
<h3>HTTP Standard Authentication</h3>
<ul>
<li><a href="/auth/http-basic-auth">HTTP Basic Auth</a></li>
<li><a href="/auth/http-digest-auth">HTTP Digest Auth</a></li>
</ul>
<h3>API Features</h3>
<ul>
<li><a href="/api/limit">Rate Limiting</a></li>
</ul>
<h3>Other Practical Features</h3>
<ul>
<li><a href="/misc/desensitize">Field Desensitization</a></li>
<li><a href="/misc/encryption-api">API Encryption</a></li>
<li><a href="/misc/trace-id">Trace Tracking</a></li>
</ul>
</menu>
<article>
<h1>HTTP Referer Validation</h1>
<p>HTTP Referer validation (also known as "Referer Check") is a common web security measure. Its principle is that the
backend server checks the Referer field in the request header when receiving a request to determine whether the request
source is a trusted domain or page.</p>
<h2>Basic Principle</h2>
<ol>
<li>When the client (browser) initiates an HTTP request, it includes a <code>Referer</code> in the request header, indicating the
source page address of the request.</li>
<li>After the server receives the request, it reads the <code>Referer</code> and determines whether it is from a trusted source.</li>
<li>If the <code>Referer</code> does not meet the requirements, the request is rejected or an error is returned.</li>
</ol>
<h2>Common Scenarios</h2>
<ul>
<li>Source validation for sensitive operations such as form submission and API calls</li>
<li>Preventing CSRF attacks</li>
<li>Anti-leeching (e.g., allowing image or video resources to be accessed only from the same domain)</li>
</ul>
<h2>Notes</h2>
<ul>
<li>Not all requests include a Referer (e.g., direct URL input, certain browser privacy modes, HTTPS to HTTP)</li>
<li>The Referer can be easily forged and should not be used as the sole security measure; it should only serve as a
supplement</li>
<li>It is recommended to combine with multiple measures such as CSRF Token and Cookie validation</li>
</ul>
<h1>Usage</h1>
<h2>yaml Configuration</h2>
<pre><code class="language-yaml">security:
HttpReferer: # Referer Interceptor
globalCheck: false # Global check
enabled: true
allowedReferrers:
- https://example.com
- https://another-example.com
- https://my-site.com
</code></pre>
<h2>Interceptor Validation</h2>
<p>Add the <code>@HttpRefererCheck</code> annotation to the interface in use:</p>
<pre><code class="language-java">@GetMapping("/HttpRefererCheck")
@HttpRefererCheck
int HttpRefererCheck();
</code></pre>
</article>
</div>
<footer>
AJ Security, a part of
<a href="https://framework.ajaxjs.com" target="_blank">AJ-Framework</a>
open source. Mail:frank@ajaxjs.com, visit
<a href="https://blog.csdn.net/zhangxin09" target="_blank">my blog(In Chinese)</a>. <br/> <br/> Copyright © 2025 Frank Cheung. All rights reserved.
</footer>
</body>
</html>
