I'm curious as to the difference of denying access using the global $_server['http_referer'] and using .htaccess with deny from all/allow from ip
Are both bypassable in the same way or is .htaccess a secure way to stop access based on the referer?
Kind regards,
$_SERVER['HTTP_REFERER'] is easy to spoof so depending on that for anything non-trivial is not a good idea.
Using .htaccess with deny from all/allow from ip is better is better because it restricts access to a list of IPs you specify. But this starts to fail if you allow entire blocks access to your site. Then this can be defeated easily by using a proxy.
So neither is going to be a perfect solution to keeping someone out of your website.
update
Based on your comment you should consider an authentication method that only the referring sites and you know about. Basically they should be passing you a hash that is created from secret values that change per request. That way they can't be spoofed and you can verify with certainty that the request is legitimate.