=== How to fix it in Express.js

include::../../common/fix/code-rationale.adoc[]

==== Non-compliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
server.get('/redirect', (request, response) => {
   
   response.redirect(request.query.url); // Noncompliant
});
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
server.get('/redirect', (request, response) => {

   if (request.query.url.startsWith("https://www.example.com/")) { 
      response.redirect(request.query.url);
   }
});
----

include::../../common/fix/how-does-this-work.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]