I have a section of my web site that I only want reachable from another portion

Question

I have a section of my web site that I only want reachable from another portion of my web site. I know that referer spoofing is trivially easy. But, if all requests from an incorrect referrer are met with 303 redirects to an index page, is there any way for the client to determine that the referrer is the criteria on which they are being denied, or even that there is anything for them to be denied from?

In other words, could this be sufficient protection from bots or individuals without a specific target in mind? I realize this qualifies as security through obscurity, but in this case I'm not expecting targeted attacks, and I don't see how you would discover it from outside.

If it makes any difference, the redirect is being sent by nginx.

Explanation / Answer

Referer restrictions are common enough that it's one of the first things an attacker will guess when trying to figure out why they entered one URL and got a different one, especially if they know the URL is supposed to work (say, because a friend sent them the link).

No, there is no way to know that an incorrect referer is the cause of the redirect, but it's easy to guess

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.