Re: [mod-security-users] HTTP_REFERER

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Achim Hoffmann wrote:
> On Fri, 18 Nov 2005, Ivan Ristic wrote:
> 
> !! > And now HTTP_HTTP_REFERER.
> !!
> !!   Won't do anything.
> !!
> !!
> !! > I followed this: HTTP_header â�� search request
> !! > header "header".
> !!
> !!   Right, but the header name is "Referer". Henece HTTP_Referer.
> 
> dooh, this brings up following question:
>  what if the HTTP header is really named   REFERER: blabla
> 
> Does this mean that mod_security only accepts the "recommended" upper-,
> lower-case spelling according RFC?
> (I mean matching the header, not mod_security's HTTP_<header> keywords)

  ModSecurity ignores case so you are fine either way. (This will be
  configurable in the future.)

  I just like to write the header names/variable names/cookie names
  in lowercase to lessen the chance of confusion.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org