Fix guide · medium · open_redirect

Open redirect parameter accepts external URLs

Why it matters

Attackers chain this in phishing campaigns: send a victim a link with yourdomain.com/login?next=https://attacker.com/fake-login, the victim sees your domain, logs in, then gets redirected to a credential-harvesting page.

How to fix it

Validate the redirect target. Two patterns:

1. Same-origin only:

``js const target = new URL(redirectParam, request.url); if (target.origin !== request.url.origin) return defaultRedirect; ``

1. Allowlist:

``js const ALLOWED = ['https://stripe.com', 'https://docs.you.com']; if (!ALLOWED.some(o => target.toString().startsWith(o + '/'))) return defaultRedirect; ``

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.