Vendors Use HTTP referrer Code To Lock Down Discount Offers

How To Protect Discount Offers From Leakage on to Public Forums

A great example of HTTP referer being used in the wild is the Costco membership rebate offer. This offer is available at: https://www.costcomembershipoffer.com/purchase/purchase/CorporateShopping This link only provides the large rebate works if the user clicked on it from an approved source website, otherwise the destination website (IE Costco) does not recognize the HTTP referer value and then rejects the request to show the destination webpage and provides an alternative web page instead.

Just to note that ‘referer’ in ‘HTTP referer’ is actually spelt incorrectly as it was first created back in the early 1990’s when the early computer scientist, Phillip Hallam-Baker invented the protocol and made a typographical error. At the time, there was no spell checker in his Unix system to pick up the typo and it became something of folklore. The misspelling is now set in stone for HTTP but is accepted both ways in some modernized internet and software development tools.

This function is now being used on many special offers for goods and services, as the unauthorized distribution of secret links and secret discount codes have become problematic to vendors with many users now sending the links and codes to friends and family for use outside the exclusive intended circle. Users may also start posting the offers up on public discount coupon websites like retailmenot, Craigslist, Honey, Reddit and Savings, where the issue can become even more complicated for the vendor, as it impacts retail sales.

Developer Code to Use the HTTP referer (referrer)

Web developers can choose from the variety of different solutions below to achieve the same result of blocking web requests from non-approved sources

HTML Code:
Most web developers can use the basic HTML code:
<a href="example.com" referrer="insert approved source website URL here”>Click To Get Special Offer’</a>

PHP Code:
PHP developers can use this code below:
<?php if ($_SERVER['HTTP_REFERER'] == "http://yoursite.com/IMPORTANT_FILE.php")
{ // continue } else
{ header("Location: http://yoursite.com/");
exit(); //Stop running the script // go to form page again. } ?>

Function Code:
The function Code is also available for more experienced developers:
<a onclick="mask(‘example website')">Click me</a>

function mask(url) {
var meta = document.createElement("meta");
meta.setAttribute("http-equiv", "refresh");
meta.setAttribute("content", "0; url=" + url);
}

Protected Offers Are Best for Vendors Who Want to Keep Their Offers Exclusive

When a referrer code’s prerequisites are not met, users can be redirected to the websites homepage and will then be able to shop and browse just like any other regular user, albeit without the special offer.

Vendors who implement a referrer code can kill two birds with one stone. The referrer code only allows certain users access to the protected web page and also it helps to keep track of where the site's users are coming from for analytical and security purposes.

Protected offers through a referrer code are the best bet for a company who wants to keep their offers exclusive. Other methods, such as discount codes, direct links and limited time offers can be easily distributed or simply sent out by the users who are whitelisted.

Using a microsite to get sales may also be a safe and well integrated route to keep an offer exclusive. A microsite is just what it sounds like, a smaller webpage that is built into another page. Microsites often have their own scroll bars and x-buttons to close, just like any other standard internet browser session. This method of keeping offers exclusive is effective and is hard to hack, just like an HTML referer code. However, microsites are much harder to implement properly and may not pass a cookie along with it.