User controlled information, such as the referrer header, or any information contained in the Request that is modifiable by a user should never be used as part of an access control decision.