Yes, but keep in mind some proxies and other things strip this information out, and it can be easily forged. So never rely on it. For example, don't think your web app is secure from CSRFbecause you check the referrer to match your own server.

是的，但请记住，一些代理和其他东西会删除这些信息，并且很容易伪造。所以永远不要依赖它。例如，不要认为您的 Web 应用程序对CSRF是安全的，因为您检查了引荐来源以匹配您自己的服务器。

$referringSite = $_SERVER['HTTP_REFERER']; // is that spelt wrong in PHP ?

If you want to only allow requests from a specific domain you'll need to parse some of the URL to get the top level domain. As I've learned more, this can be done with PHP's parse_url().

如果您只想允许来自特定域的请求，则需要解析一些 URL 以获取顶级域。随着我了解的更多，这可以通过 PHP 的parse_url()来完成。

As andykpoints out in the comments, you will also have to allow for www.example.com and example.com.

正如andyk在评论中指出的那样，您还必须允许 www.example.com 和 example.com。

While you can look at $_SERVER['HTTP_REFERER']to get the referring site, don't bet the farm on it. The browser sets this header and it's easily spoofed.

虽然您可以查看$_SERVER['HTTP_REFERER']获得推荐网站，但不要把赌注押在农场上。浏览器设置了这个标题，它很容易被欺骗。

If it's critical that only people coming from specific referrers view your site, don't use this method. You'll have to find another way, like basic auth, to protect your content. I'm not saying that you shouldn't use this technique, just keep in mind that it's not fool-proof.

如果只有来自特定推荐人的人才能查看您的网站很重要，请不要使用此方法。您必须找到另一种方式（例如基本身份验证）来保护您的内容。我并不是说你不应该使用这种技术，只是要记住它不是万无一失的。

BTW, you can also block referrers at the apache level using mod_rewrite.

顺便说一句，您还可以使用 mod_rewrite在 apache 级别阻止引用。

You cannot trust the referrer. Despite coming from the $_SERVERarray, it is actually a user/browser supplied value and is easily faked, using such things as the Firefox RefControl addon.

你不能相信推荐人。尽管来自$_SERVER数组，但它实际上是用户/浏览器提供的值，很容易伪造，使用诸如 Firefox RefControl 插件之类的东西。

You need to examine the $_SERVER array for the 'HTTP_REFERER' key.

您需要检查 $_SERVER 数组中的“HTTP_REFERER”键。