16 lines
761 B
Plaintext
16 lines
761 B
Plaintext
=== How does this work?
|
|
|
|
Built-in framework methods should be preferred as, more often than not, these
|
|
provide additional security mechanisms. Usually, these built-in methods are
|
|
engineered for internal page redirections. Thus, they might not be the solution
|
|
for the reader's use case.
|
|
|
|
In case the application strictly requires external redirections based on
|
|
user-controllable data, this could be done using the following alternatives:
|
|
|
|
1. Validating the `authority` part of the URL against a statically defined value
|
|
(see Pitfalls).
|
|
2. Using an allow-list approach in case the destination URLs are multiple but
|
|
limited.
|
|
3. Adding a customized page to which users are redirected, warning about the
|
|
imminent action and requiring manual authorization to proceed. |