I thought I was being really slick by using the $_SERVER['HTTP_REFERER']
variable to guarantee my script was being called from the appropriate page.
Luckily, when I performed a header('Location: yourPathHere.php')
redirect in my testing browser, it wouldn't set the $_SERVER['HTTP_REFERER']
variable. So I looked it up at http://php.net/manual/en/reserved.variables.server.php, only to find this...
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
So my question is: How can I guarantee my page is being navigated to from a trusted source?
EDIT: To clarify questions regarding the comments section. I'm trying to avoid XSRF (cross-site request forgery).