Checking the Referer header isn't an awful lot of use, and will break things for people who have odd but compliant software. It's perfectly reasonable for a browser to send no Referer headers at all. You could just match if there is a Referer, but then will that catch the misbehaviour you want to? In tailing the logs here though I've also seen visitors who have a constant Referer set to some site. It was an oddly configured IE 5 (going by the browser id, which is hokey).It simpler to just not abuse GET, and where someone does a GET where you were expecting a POST offer them an explanation and a POST form to really do whatever you want.Of course for some browsers you can probably boink the form submit button to get a post together, either from a form presented on the foreign site (which is less likely to be allowed) or by knocking together a form in the same environment as your bit of script that simply has an action on the site to be attacked.