Security check on Referer header

Version 1.345


Added a check on the Referer http header passed to DA for all requests. The value in the Referer must match the Host value that was passed during the intial login. The host value will be stored in the session file. If a port is passed in the Referer, the port is also checked, and must match DA's currently running port. If no referer is passed, this check is skipped. Note that most browsers have the referer header enabled by default. If it's not enabled in your case, then this check will not be able to help you and you are at higher risk of forms being posted from remote sites. Note that this check is only done for session based logins. Http basic auth logins used by the API are not checked since they must pass the login/pass with each request, so there is no need to verify the referer. The default value set internally in DA is: check_referer=1 this will not exist in your directadmin.conf. If you wish to disable this check, add: check_referer=0 to your directadmin.conf and restart DA. Note that is normal to see this error in your error.log right after your update because the host value is not yet int your sessions file: Referer host does not match != (null) you will have to login again to add the host value, then you'll be fine.

Interested to try DirectAdmin? Get a 30-day Free Trial!