The HTTP_REFERER server variable records the URL of the page
the user's browser visited before the current page. As such, it is sometimes
used to check that a form was submitted from the correct form and that the
submission did not originate from elsewhere.
While this is a useful technique to guard against automated
form submissions, there are, however, a number of issues with using the
HTTP_REFERER server variable.
Some proxy servers and content filtering services mask the
value of the HTTP_REFERER or even strip it out altogether before the request
arrives at the destination server.
An increasing number of Internet web robots are being used
with a fake value for the HTTP_REFERER server variable.
The HTTP_REFERER server variable can be easily faked by many
of the tools used to create automated web-crawling robots and form submission
utilities.
Consequently, there are disadvantages to using the
HTTP_REFERER server variable to increase the security of web applications. Alternative
strategies to securing forms would be to include using a graphical sequence of
characters that a user has to type into the form before submission (i.e. a
Captcha, see http://www.captcha.net/), or
to include certain dynamically-generated, hidden fields within the form that
must also be present when the form is submitted.