in reply to SF_form_secure
I get nervous when I see HTTP_REFER and (unqualified) security mentioned together.
Leaving aside the fact that the Referer header is trivially spoofed in a client, many "personal firewalls", proxies and other internet security software will remove or otherwise anonymise the the Referer header: the HTTP Specification makes the suggestion that it might be removed.
Beyond that it's not exactly clear how this might be used.
/J\
In Section
Code Catacombs