Are these (and other best practices for OP/RP's) being compiled somewhere (like on the wiki)? I think this has been answered, but I'm not sure.<br><br>david<br><br><div><span class="gmail_quote">On 4/12/07, <b class="gmail_sendername">
Martin Atkins</b> <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>Some good advice there, Gareth.<br><br><a href="mailto:gaz_sec@hushmail.com">gaz_sec@hushmail.com</a> wrote:<br>><br>> Another useful tip for securing OpenID servers is to use referrer<br>> checking, now you might think that this is useless because the
<br>> referrer can be faked. However in javascript it is more difficult<br>> for a hacker to fake the referrer header, as headers can't be<br>> easily sent with form posts so referrer checking can actually<br>
> increase the security of your server and prevent some CSRF.<br>><br><br>Be careful when using referrer checking, though.<br><br>Many people use filtering proxies or other similar software which blocks<br>the Referer header or alters it in some way. Behavior I've observed for
<br>such software is often one of:<br> * Don't send the Referer header at all.<br> * Set the Referer to be whatever URL is being requested.<br> * Set the Referer to be the root of the site to which the request is<br>
being sent.<br><br>So if you're going to do referrer checking, it's best to firstly limit<br>your checking to only ensuring that the hostname portion of the URL is<br>correct, and also to allow the request through if the Referer header is
<br>completely absent. That will cover you for all of the above odd-ball<br>cases without reducing the advantages of the referrer checking.<br><br><br>_______________________________________________<br>security mailing list
<br><a href="mailto:security@openid.net">security@openid.net</a><br><a href="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</a><br></blockquote></div><br>