In the django docs:
HttpRequest
objects
Attributes¶
All attributes should be considered read-only, unless stated otherwise.
would it be safe to use the value of HTTP_REFERER in a view variable to get the previous page a user visited or can this be spoofed client-side?