HTTP_REFERER is generated by the client in the HTTP Header. It can easily be spoofed. However, this is usually done client side, and only a rougue browser would be spoofing HTTP headers.
Although I would not put it past someone to find a way around the client side limitations.
If this were the case .htaccess would be rendered useless.
|