1

Let say, my website is https://www.example.com and i am using cURL to pull https://stackoverflow.com

I am using cURL HTTP Header to spoof referer value like this

curl_setopt($ch, CURLOPT_HTTPHEADER, ['Referer: https://www.google.com/']

(or)

curl_setopt($ch, CURLOPT_REFERER, "http://www.google.com");

So, now for stackoverflow.com it look like traffic coming from Google.com instead of my website example.com ?

Improve this question
6
  • All HTTP headers can be set arbitrarily by the client, so, yes, the referer can be spoofed.
    – Olivier
    Commented Mar 22 at 11:26
  • So stackoverflow.com will see only Google.com . it can't see my website?
    – Stellan Coder
    Commented Mar 22 at 12:08
  • 1
    It will see your server's IP address as the client.
    – Barmar
    Commented Mar 22 at 13:50
  • The referer is not where the traffic is coming from. When you follow a link, it's the URL of the page containing the link, but the traffic comes from your PC's IP.
    – Barmar
    Commented Mar 22 at 13:51
  • @Barmar No, if i am fetching through cURL, it will see my web server public IP not my ISP IP Address. but the question is not about which IP, they see. it about what referrer they see.
    – Stellan Coder
    Commented Mar 24 at 3:30

1 Answer 1

Reset to default
0

Yes. This is exactly why CURLOPT_REFERER exist: to customize the referer header. See

hans@LAPTOP-O1AO16UE:~$ cat wut.php 
<?php

$ch = curl_init();
curl_setopt_array($ch,array(
CURLOPT_URL=>'http://example.com',
CURLOPT_REFERER=>'http://google.com/',
CURLOPT_VERBOSE=>1
));
curl_exec($ch);
hans@LAPTOP-O1AO16UE:~$ php wut.php 
* Host example.com:80 was resolved.
* IPv6: 2600:1406:bc00:53::b81e:94ce, 2600:1406:bc00:53::b81e:94c8, 2600:1406:3a00:21::173e:2e66, 2600:1406:3a00:21::173e:2e65, 2600:1408:ec00:36::1736:7f24, 2600:1408:ec00:36::1736:7f31
* IPv4: 23.192.228.84, 96.7.128.198, 23.215.0.138, 23.215.0.136, 23.192.228.80, 96.7.128.175
*   Trying 23.192.228.84:80...
* Connected to example.com (23.192.228.84) port 80
> GET / HTTP/1.1
Host: example.com
Accept: */*
Referer: http://google.com/

< HTTP/1.1 200 OK
< Content-Type: text/html
(...)

The keyword here is Referer: http://google.com/

Improve this answer
2
  • what tool or script you used to test?
    – Stellan Coder
    Commented Mar 24 at 3:31
  • 1
    @StellanCoder they didn't use any external tool, they just set CURLOPT_VERBOSE=>1 to make cURL print details about the request it is making, to the console.
    – C3roe
    Commented Mar 24 at 9:11

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.