Skip to main content
rulesSource-backedReview first Safety Privacy

AI-Generated Insecure Deserialization Review Rules

Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided.

by lourincedaging0-commits·added 2026-07-15·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/ai-generated-insecure-deserialization-review-rules.mdx
Safety notes
Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result., AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used., An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.
Privacy notes
Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system., Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.
Author
lourincedaging0-commits
Submitted by
lourincedaging0-commits
Claim status
unclaimed
Last verified
2026-07-15

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

15 minutes

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

4 to clear

Platforms

1 listed

Install type

Copy & paste

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

4 prerequisites to line up before setup.

0/4 ready
Install & runtime2Permissions & scopes1General115 minutes

Safety & privacy surface

Safety & privacy surface

3 safety and 2 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access.

4 areas
  • SafetyNetwork accessDeserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result.
  • SafetyGeneralAI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used.
  • SafetyGeneralAn integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.
  • PrivacyExecution & processesDeserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system.
  • PrivacyCredentials & tokensDo not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.

Safety notes

  • Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result.
  • AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used.
  • An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.

Privacy notes

  • Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system.
  • Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.

Prerequisites

  • A pull request, diff, or snippet containing AI-generated or AI-edited code that deserializes, unpickles, unmarshals, or loads structured data from an external source.
  • Knowledge of which deserialization APIs the language/framework in use considers "safe" versus "native/unsafe" (this differs significantly between Python, Java, PHP, Ruby, and JS/Node).
  • Awareness of which data sources in the application are genuinely untrusted (client-supplied, cross-service, or user-uploaded) versus fully internal and controlled.
  • Permission to block merge when untrusted data reaches a native deserialization API without an allowlist or integrity check.

Schema details

Install type
copy
Troubleshooting
Yes
Collection metadata
Estimated setup
15 minutes
Difficulty
intermediate
Full copyable content
You are reviewing AI-generated code for insecure deserialization risk.

Rules:
1. Identify every place the change deserializes data from a source that
   isn't fully trusted: request bodies, uploaded files, cache/queue
   messages, cookies, or responses from another service — and note which
   deserialization API is used for each.
2. Flag native/language-specific deserialization APIs applied to
   untrusted input: Python `pickle.load`/`pickle.loads` (and
   `cPickle`/`_pickle`), non-safe YAML loading (PyYAML `yaml.load` without
   `Loader=SafeLoader`, or any loader that can construct arbitrary
   objects), Java `ObjectInputStream#readObject` on a `Serializable`
   stream, and equivalent native-object deserializers in other languages
   (PHP `unserialize()`, Ruby `Marshal.load`). These formats can be
   crafted to execute arbitrary code or trigger denial-of-service simply
   by being deserialized.
3. Prefer a safe data-interchange format (JSON, or YAML with an explicitly
   restricted/safe loader) over a native serialization format whenever the
   data crosses a trust boundary, even if it costs some convenience
   (custom types, non-JSON-native values).
4. When a native format genuinely cannot be avoided, require an
   allowlist of the specific classes/types that may be constructed
   (Java: override `resolveClass()`; Python: restrict `pickle`'s globals)
   rather than deserializing into "whatever the stream says."
5. Require an integrity check (a signature or MAC verified before
   deserialization, not after) whenever a serialized blob is round-tripped
   through a client, cookie, cache, or other location a user could tamper
   with, so a modified payload is rejected before it reaches the
   deserializer.
6. Treat sensitive object fields you don't want exposed or attacker-set
   during (de)serialization as needing explicit exclusion (for example
   Java's `transient` keyword) rather than assuming they're safe by
   default.

About this resource

Purpose

Use these rules when an AI coding assistant writes or edits code that deserializes data from outside the process. The goal is to stop a generated integration, cache layer, or file-import feature from shipping a native deserialization call against untrusted input, where simply parsing a crafted payload — before any application logic runs — can trigger denial-of-service or remote code execution.

This is a review policy, not a deserialization tutorial. It tells reviewers what must be true about a generated change's deserialization API choice and trust boundary before the change is safe to merge.

Review Inputs

Collect enough context to know what is being deserialized and where it came from.

  • Every deserialization call the change adds or edits, and the exact API used (pickle.loads, yaml.load, ObjectInputStream#readObject, unserialize(), JSON.parse, a framework's model-binding layer, etc.).
  • Where the serialized data originates: a request body, an uploaded file, a cache/queue message, a cookie, or a response from another internal or external service.
  • Whether that source is fully trusted (only ever written by this application's own trusted code) or can be influenced by a user or another party.
  • Whether an integrity check (signature/MAC) exists, and whether it runs before or after the deserialization call.

Format And API Rules

  • Prefer JSON (or a YAML loader explicitly restricted to safe types) for any data that crosses a trust boundary; reserve native/full-featured serialization formats for data that never leaves fully trusted, internal control.
  • Flag pickle.load/pickle.loads (Python), non-safe YAML loading (PyYAML without an explicit safe loader), ObjectInputStream#readObject on Serializable data (Java), unserialize() (PHP), and Marshal.load (Ruby) whenever the input isn't fully trusted — these formats can reconstruct arbitrary objects, including ones whose construction or destruction has side effects, by design.
  • Confirm the deserialization target type is explicit and narrow (a known DTO/schema) rather than "whatever the stream says," even when using a nominally safer format like JSON, so unexpected fields or types can't silently reach application logic that assumes a specific shape.
  • Do not treat a library's default constructor/loader as safe without checking; defaults have changed between major versions of common libraries, and the safe option is often the one that must be explicitly chosen.

Trust Boundary And Defense Rules

  • When a native/full-featured format truly cannot be avoided, require a class/type allowlist so only explicitly approved types can be constructed during deserialization (Java: override resolveClass(); Python: restrict pickle's globals; equivalent mechanisms exist for other languages).
  • Require an integrity check (a signature or MAC) that is verified before the deserialization call runs, for any serialized blob a client, cookie, cache, or other tamperable location could have modified — a check that runs on the already-deserialized object is too late.
  • Treat any object round-tripped through the client (a serialized session, a "state" blob in a hidden field or cookie) as untrusted on the way back in, even if your own server produced it originally, unless it's signed or encrypted with a key the client never has.
  • Mark sensitive fields that should never be (de)serialized or exposed (credentials, internal tokens, computed/derived values) with the language's exclusion mechanism (for example Java's transient) instead of relying on convention.

Merge Blockers

Block merge when any of these is true.

  • Untrusted input (request body, upload, cache/queue message, cookie, cross-service response) reaches pickle, unsafe YAML loading, Java ObjectInputStream#readObject, PHP unserialize(), or an equivalent native deserializer with no allowlist or integrity check.
  • A native format is used for a trust-boundary-crossing payload when a safe data-interchange format (JSON, restricted YAML) would work instead, with no documented reason.
  • An integrity check exists but runs after deserialization rather than gating the deserialization call itself.
  • A client-tamperable serialized blob (cookie, hidden field, cache entry a user can influence) is deserialized without a signature/MAC verified first.
  • Sensitive fields on a serializable object are exposed with no exclusion mechanism applied.

Review Checklist

  • {"task": "Deserialization calls identified", "description": "Every deserialization call in the change is identified along with its exact API and data source"}
  • {"task": "Trust boundary assessed", "description": "Each data source is classified as trusted-internal or potentially attacker-influenced"}
  • {"task": "Safe format preferred", "description": "Untrusted data uses JSON or an explicitly restricted YAML loader rather than a native full-featured format"}
  • {"task": "Allowlist when native is required", "description": "Any unavoidable native-format deserialization of untrusted data is constrained by a class/type allowlist"}
  • {"task": "Integrity check gates deserialization", "description": "Signature/MAC verification happens before the deserialization call, not after"}
  • {"task": "Sensitive fields excluded", "description": "Fields that must not be exposed or attacker-set during (de)serialization use the language's exclusion mechanism"}

AI Review Rules

AI assistants can write and review deserialization code, but they should show their evidence.

  • Ask the assistant to list every deserialization call in the change, the exact API, and the trust level of its input source.
  • Require the assistant to justify any native/full-featured deserialization API used on data that isn't fully trusted-internal.
  • Have the assistant confirm whether an integrity check exists and exactly where it runs relative to the deserialization call.
  • Do not let the assistant claim a deserialization call is safe only because "it's from our own database/cache" without confirming nothing user-influenced ever writes to that store.
  • Re-run review after any change to serialization formats, trust boundaries, or shared (de)serialization helper functions.

Troubleshooting

  • Switching from pickle/native serialization to JSON breaks a custom type (datetime, a domain object with methods): implement explicit encode/decode functions for that type rather than reverting to a native format for convenience.
  • A class allowlist rejects a legitimate internal type: add that specific type to the allowlist deliberately and re-test, rather than disabling the allowlist.
  • An integrity check breaks a legitimate client round-trip: the client needs to receive and echo back the actual signed/encrypted blob, not a reconstructed copy — check that the signing key and the verification key match and that the payload isn't being rebuilt client-side.
  • Tests only cover well-formed payloads: add a test asserting that a malformed or unauthorized-type payload is rejected before any object construction happens, not just that valid payloads succeed.

Duplicate And History Check

Before adding a new deserialization call, confirm the codebase does not already have a shared safe-deserialization helper (a wrapper enforcing a safe loader, an allowlist, or signature verification) for this data type. A generated change that adds a new native deserialization call next to an existing safe helper should be treated as suspicious — check whether the existing mechanism was simply not reused before introducing a second, possibly unsafe one.

Reference

Pattern Risk Fix
pickle.loads(untrusted_bytes) Arbitrary code execution during unpickling JSON, or pickle with a restricted Unpickler.find_class
yaml.load(data) without a safe loader Can construct arbitrary Python/Ruby/etc. objects yaml.safe_load(data) / an explicit safe loader
ObjectInputStream#readObject() on untrusted data Gadget-chain remote code execution Override resolveClass() with an allowlist, or avoid Serializable
Signature check after deserializing Malicious object already constructed by the time it's checked Verify signature/MAC before calling the deserializer
Client-editable serialized "state" blob Tampering reconstructs an attacker-chosen object Sign/encrypt the blob server-side; verify before deserializing

Sources

  • OWASP Deserialization Cheat Sheet
  • CWE-502: Deserialization of Untrusted Data
  • OWASP Top 10 2021 — A08: Software and Data Integrity Failures
  • Python pickle documentation — Restricting Globals

Source citations

Add this badge to your README

Show that AI-Generated Insecure Deserialization Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/rules/ai-generated-insecure-deserialization-review-rules.svg)](https://heyclau.de/entry/rules/ai-generated-insecure-deserialization-review-rules)

How it compares

AI-Generated Insecure Deserialization Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided.

Open dossier

Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions.

Open dossier

Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations.

Open dossier

Source-backed rules for reviewing AI-generated redirect and forward logic before merge for open redirect risk, covering allowlist-based destination validation, relative-path/indexed-mapping alternatives to raw URLs, and the privilege-escalation and phishing impact of an unvalidated redirect target.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDifferslourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryrulesrulesrulesrules
Sourcesource-backedsource-backedsource-backedsource-backed
Authorlourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Added2026-07-152026-06-222026-07-152026-07-15
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesDeserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.An open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page. AI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct. A naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site.
Privacy notesDeserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.Open redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead. Redirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review.
Prerequisites
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that deserializes, unpickles, unmarshals, or loads structured data from an external source.
  • Knowledge of which deserialization APIs the language/framework in use considers "safe" versus "native/unsafe" (this differs significantly between Python, Java, PHP, Ruby, and JS/Node).
  • Awareness of which data sources in the application are genuinely untrusted (client-supplied, cross-service, or user-uploaded) versus fully internal and controlled.
  • Permission to block merge when untrusted data reaches a native deserialization API without an allowlist or integrity check.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated.
  • Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks.
  • Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods.
  • Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited endpoint, resolver, or data-access function that accepts an object identifier from the request.
  • Knowledge of the application's ownership/permission model, since what counts as "authorized" differs between single-owner resources, shared resources, and admin-only resources.
  • Access to at least two distinct user accounts (or awareness of how to create them) to verify cross-account access is actually denied, not just assumed.
  • Permission to block merge when an object-level authorization check is missing, inconsistent, or client-trusted.
  • A pull request, diff, or snippet containing AI-generated or AI-edited redirect, forward, or "return to" logic.
  • Knowledge of which query parameters, form fields, or stored values in the application currently feed a redirect destination.
  • Awareness of the app's trusted domain(s) so an allowlist check (if one is added) can be scoped correctly.
  • Permission to block merge when a redirect destination is taken from user input without being restricted to a relative path or a validated allowlist.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.