After some testing, I see the Referrer Filter is doing a good job blocking POST requests outside of the current environment using the default configuration ("Allow Hosts" is blank). And the documentation states "By default, all variations of localhost and the current host names the server is bound to are in the white list."
But how is it even "aware" of the "the current host names the server is bound to?" Our site URLs are VIPs that point to the dispatchers so I don't know how that gets passed down to the publish instances.
The referrer check is a very simple check: It checks if the hostname of the referring page (HTTP header: referrer) is the same as the hostname in the HTTP host header.
There are exceptions for this rule as mentioned, so you can automate tasks from the same machine more easily.
Thanks, I see that now. I forgot that when the Dispatcher makes it's HTTP connection to the publish instance, it passes the end-user facing domain as the HTTP host header even though that would not resolve to the publish instance host.
