referer protection

[Zugschlus]

Hi,
this has been discussed a number of times, but a few years ago, and OPNsense has continued to be developed. And, frankly, I didn't understand the explanations.

I think that I am not the only person who has a web page on an internal Wiki that contains the link to the administration pages of the managed devices. I therefore have links to my OPNsense Web UI machines there. The hostname that is part of those links is entered in System > Settings > Administration (multiple host names, for both nodes, as a space separated list, all spelled correctly).

One of the hostnames I have listed there, for example is opnsense2.mgt.ka51.zugschlus.de. That host name is correctly in the local DNS and maps to a primary IP address of the OPNsense installation.

The Link in my Wiki page points to https://opnsense2.mgt.ka51.zugschlus.de/

And still, when I click on the link, I _sometimes_ get the message that OPNsense doesn't like my referer.  Sometimes, but not every time. I guess that depends on whether I am already logged in to the device in another tab of that browser.  The exact error message is "The HTTP_REFERER "http://mywiki.example.com/" does not match the predefined settings. You can disable this check if needed under System: Settings: Administration"

When does this happen? Why does this happen? I think I have everything configured correctly. Can this possibly have to do with the fact that the wiki is (still, don't ask) an unencrypted http server?

What is the referer check supposed to protect me from? Currently it is protecting me from easily accessing my devices. Is there any trick I can use to have working links AND referer protection? Is there a (hidden?) setting that allows me to set allowed referers?

Some of the older Forum Threads suggest that I should enter the name of the wiki as another alternate hostname in OPNsense. That CAN'T be correct advice, can it?

Greetings
Marc