Can I rely on Referer HTTP header?
As a general rule, you should not trust the HTTP Referer Header for any matter of importance, except for purely informative statistical analysis of who your visitors are or when looking for patterns of behaviour among the users of your own site.
Under no circumstance it is advisable that you use this header for AAA (Authentication, Authorization and Accounting), unless, as commented above, you consider Accounting the simple traffic analysis of your visitor's behavior.
The Common Weakness Enumeration lists this weakness as CWE-293: Using Referer Field for Authentication:
The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
Some other and more specific reasons not to trust the Referer Header, include:
In general, when "linking" from an HTTP <-> HTTPS (TLS) connection, most standard Web browsers will not inform this header.
For privacy reasons, many corporate proxies are configured to remove/strip this header, so even if a Web browser sends this header, a corporate proxy software may remove it.
Out in the wild security solutions, malware, browsers embedded into applications... are known to modify and/or cheat on the contents of this header.
Beware that:
- When "linking" from HTTPS to HTTPS, most standard Web browsers will inform this header even when changing the domain name or network address destination.
As long as you have a reasonable default behavior when there isn't a usable value, and you're not doing anything sensitive based on it, it's probably okay.
A malicious user could set that header to anything they want. I expect most users don't modify the default behavior of their browsers, so it's probably there and accurate most of the time.
There are probably also some cases where switching between HTTPS and HTTP will cause a referer header not to be sent.