Home/ Questions/Q 7977125
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T09:06:14+00:00

Google’s Webmaster blog wrote some solution on how to prevent Open Redirect Protection abuse,

  • 0

Google’s Webmaster blog wrote some solution on how to prevent Open Redirect Protection abuse, I’ve been perplexed by some of the solutions there for quite sometime, I tried googling but found no results.

  1. Change the redirect code to check the referer
  2. Consider using a whitelist
  3. Consider signing your redirects
  4. Specifically disallow off-site redirects

My guesses on the solution:

  1. Use %{HTTP­_RE­FERER} to do some checking in the url request
  2. Use some regex in the url request to check if the site in the url
    request is within the scope of the regex
  3. Can’t think of any
  4. Can’t think of any

Please let me know if my guesses are correct, and if they’re not please tell me how to do it correctly in PHP or Apache. Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. correct, but this is not a reliable approach. HTTP Referrer can be manipulated.
    2. Define a list of URLs which are allowed to be redirected to, compare to this list and cancel redirects to any other URL.
    3. Add a salted hash of the redirect as a redirect param. Before redirecting, check that hash with the request params. If the calculated hash is the same as the hash in the request params, probably no request manipulation is made -> redirect can be executed. This prevents any redirects to be executed unless anybody guesses your hash-generation algorithm (thats why you have to salt it with a secret key).
    4. Cancel all redirects which will lead to any URL that doesn’t contain your website as host. This can be done with a regex as you guessed at 2.
    • 0