Firewall using http.referer field doesn't appear to be working

Website, Application, Performance Security
1

Hello,

We’re trying to challenge bad traffic we’re receiving, where the “referer” is set to a Google URL which isn’t possible (since Google doesn’t sent their querystring/etc). Here’s what we’re using:

(http.referer eq "https://www.google.com/search/?q=")

After rolling out the firewall rule, I cannot get it to trigger using a basic CURL request:

curl --request GET \
  --url 'https://www.mysite.com/' \
  --header 'referer: https://www.google.com/search?q='

Am I using the firewall rule incorrectly? Any help would be appreciated. Thanks.

2

How about a referrer contains “www.google.com/search” (you might have to escape that slash…or not). My referrer blocks are only for “contains” the FQDN.

And if there is an Escaping issue, you might try to escape the question mark. Speaking of that question mark…there’s nothing after it in the requests you’re blockin? Your rule requires a complete match.

3

Thanks for the reply. I’ll try the contains. And yeah, there’s nothing more beyond that - this source is spamming us with the fake Google “search traffic” - Google’s policy is “origin” so we should only ever get just “https://www.google.com/” as the referer really.

The escape thing is interesting - is CF internally running it as a Regex?

4

Removing the “=” from the end seemed to do the trick here. Interesting.

(http.referer contains "https://www.google.com/search?q")

2 Likes
5

This topic was automatically closed after 30 days. New replies are no longer allowed.