Shulou(Shulou.com)06/02 Report--

This article introduces what is the difference between host, referer and origin. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Host is easy to understand, so take a look at the introduction given by the MDN website:

The Host request header indicates the domain name of the server (for virtual hosts) and, optionally, the TCP port number on which the server is listening.

If no port number is given, the default port of the requested service is automatically used (for example, a URL requesting a HTTP will automatically use port 80).

All request messages in HTTP/1.1 must contain a Host header field. If a HTTP/1.1 request is missing a Host header field or has more than one Host header field set, a 400 (Bad Request) status code is returned.

The following information can be summarized from the above text:

1. The value of host is the domain name (or ip) and port of the server requested by the client

2. Host request headers must be included in http/1.1, and only one can be set.

So what is the main use of host?

The most frequently used scenario for host is when multiple virtual hosts are set up on a single server.

To take a simple example: I configured two virtual hosts through apache on a server with an IP address of 127.0.0.1: a.comforce b.com. These two domain names will be pointed to 127.0.0.1 through DNS resolution. When I visit the a.com website in my browser, DNS converts the domain name into an IP address. At this time, you can determine from the host information of the client request header that you are accessing the corresponding virtual host on the server.

As shown in the figure:

Without the host request header, the client's request cannot mark which virtual host to access.

Let's take a look at MDN's introduction to referer:

The Referer header contains the address of the source page of the current request page, which means that the current page is accessed through the link in the source page. The server generally uses the Referer header to identify the access source, which may be used for statistical analysis, logging, cache optimization and so on.

It is important to note that referer is actually misspelled "referrer".

Referer will not be sent in the following two cases:

1. The source page uses the protocol "file" or "data" URI that represents the local file.

two。 The current request page uses a non-secure protocol, while the source page uses a security protocol (HTTPS).

3. Enter the URL directly or access it through a browser bookmark

4. Use JavaScript's Location.href or Location.replace ()

5. Using noreferrer in html5

Noreferrer

Noreferrer

6. Use Referer Meta tags to control referer usage scenarios. For more information, please see the following article: https://www.jb51.net/article/137982.htm

7. Use iframe's hack writing method to remove referer.

Here is an example of Baidu's picture hotlink protection:

The html code is as follows:

Double-click the mouse to open the page directly, that is, file protocol access, at this time is without referer, the picture is displayed, as shown in the figure:

Network is shown in the figure. There is no referer request header at this time:

But I publish it to the server and access it with http://127.0.0.1/a2.html, as shown in the figure:

The picture is no longer displayed. Why? Observe the request header, as shown in the figure:

There is an extra referer request header, which identifies the source of the request to access this picture, and the source of the request is my website. Baidu picture server judges me according to this request header, and then intercepts me.

So how to break the hotlink, it is commonly used to use a server program as a proxy crawler, the server crawler is free to set the request header, and there is the use of iframe hack writing. This is similar to xss, so what is xss? Let's not talk about it here. We'll discuss it next time.

Iframe is written as follows to remove referer. Look at the code:

The result is shown in the figure:

Take a look at network as shown in the figure:

Referer disappeared. After referer disappeared, he skipped Baidu's hotlink protection.

Finally, there is origin. Let's take a look at MDN's introduction to it for a year:

The request header field Origin indicates which site the request came from. This field only indicates the server name and does not contain any path information. This header is used for CORS requests or POST requests. This field is similar to the Referer header field except that it does not contain path information.

You can see that the functions of referer and origin are similar, but there are still a few differences. Take a closer look at the above introduction and summarize the following points:

1. Only cross-domain requests or post requests sent in the same domain will carry origin request headers. In any case, referer will carry origin request headers as long as the browser can obtain the request source, except for the cases mentioned above.

2. If the browser cannot obtain the request source, origin will also carry it if it meets the above conditions, but its value is null, as shown in the figure:

Unlike referer, browsers do not carry referer in the request header if they cannot get the request source.

So much for sharing the differences between host, referer and origin. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.