As mentioned elsewhere on CDAC - don’t rely on the Referrer:
It will cause you pain. Not only is not really reliable from a browser perspective (some won’t send it depending on settings)- firewalls might strip it as well as well as depending on firewalls and web servers - they might be captured in log files.
Best thing is to do the lic enforcement at the initial iframe page that is loaded and then if you need to - pass the parameter onwards to any other urls that will need it.
xdm_e is also another parameter that you need to watch out for as to not to use…Deprecation of xdm_e Usage