That last bit isn't true. It's easy to spoof HTTP_REFERER *if you're the client*. It's not easy for the fake web site to convince the client to do a request with a spoofed HTTP_REFERER.