javaservletshttp-redirectheaderreferer

Java servlet: How to remove header "referer" on redirect?


Is it possible remove header Referer when you execute redirect on java servlet? kind of

response.setHeader("Referer", null);
response.sendRedirect(url)

Also I tried filter. It even doesnt call setHeader or addHeader methods on response. It looks like i cannot change existing filters. Found such article http://sandeepmore.com/blog/2010/06/12/modifying-http-headers-using-java/

import java.io.IOException;
import java.util.Map;
import java.util.TreeMap;
import java.util.Map.Entry;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

@Component
public class HeaderFilter extends OncePerRequestFilter {

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws ServletException, IOException {
    filterChain.doFilter(new HeaderHttpRequestWrapper(request), new HeaderHttpResponsetWrapper(response));

}

private static class HeaderHttpRequestWrapper extends HttpServletRequestWrapper {

    public HeaderHttpRequestWrapper(HttpServletRequest request) {
        super(request);

    }

    @Override
    public String getHeader(String name) {
        if ("Referer".equalsIgnoreCase(name))
            return "";
        return super.getHeader(name);
    }

}

private static class HeaderHttpResponsetWrapper extends HttpServletResponseWrapper {

    public HeaderHttpResponsetWrapper(HttpServletResponse response) {
        super(response);

    }

    @Override
    public void sendRedirect(String location) throws IOException {
        // TODO Auto-generated method stub
        super.sendRedirect(location);
    }

    @Override
    public void addHeader(String name, String value) {
        if ("Referer".equalsIgnoreCase(name))
            return;
        super.addHeader(name, value);
    }

    @Override
    public void setHeader(String name, String value) {
        if ("Referer".equalsIgnoreCase(name))
            return;
        super.setHeader(name, value);
    }

}

}


Solution

  • The referer header is not set on the response at all. It's set on the request. With a redirect you're basically instructing the client to create a brand new request all on its own. That request is created on the client side, not on the server side.

    The real technical problem is that you can't change the request headers from the server side at all. Response headers, however, are surely modifiable in server side as it's actually the server itself who creates them.

    Your closest bet is to redirect to a proxy, which happens to be your own or the one you have full control over, and let the proxy in turn strip the request header. Or, just let the servlet itself act as proxy.