Open Redirect

User input passed directly to redirect()

warningSecurityopen-redirect

Why this matters

Open redirects let attackers craft URLs on your domain that redirect to phishing sites. Users trust your domain, so they click — and land on a credential-stealing page.

✗ Bad

export async function GET(req: Request) {
  const url = new URL(req.url);
  const next = url.searchParams.get("next") ?? "/";
  redirect(next);
}

✓ Good

export async function GET(req: Request) {
  const url = new URL(req.url);
  const next = url.searchParams.get("next") ?? "/";
  // Only allow relative paths
  const safe = next.startsWith("/") &&
    !next.startsWith("//") ? next : "/";
  redirect(safe);
}

How to fix

Validate redirect targets are relative paths on your own domain. Reject absolute URLs, protocol-relative URLs (//), and any input that doesn't start with a single slash.

All rules