Skip to main content
rulesSource-backedReview first Safety Privacy

AI-Generated Open Redirect Review Rules

Source-backed rules for reviewing AI-generated redirect and forward logic before merge for open redirect risk, covering allowlist-based destination validation, relative-path/indexed-mapping alternatives to raw URLs, and the privilege-escalation and phishing impact of an unvalidated redirect target.

by lourincedaging0-commits·added 2026-07-15·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/ai-generated-open-redirect-review-rules.mdx
Safety notes
An open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page., AI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct., A naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site.
Privacy notes
Open redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead., Redirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review.
Author
lourincedaging0-commits
Submitted by
lourincedaging0-commits
Claim status
unclaimed
Last verified
2026-07-15

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

10 minutes

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

4 to clear

Platforms

1 listed

Install type

Copy & paste

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

4 prerequisites to line up before setup.

0/4 ready
Permissions & scopes2General210 minutes

Safety & privacy surface

Safety & privacy surface

3 safety and 2 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access.

4 areas
  • SafetyCredentials & tokensAn open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page.
  • SafetyLocal filesAI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct.
  • SafetyNetwork accessA naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site.
  • PrivacyCredentials & tokensOpen redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead.
  • PrivacyData retentionRedirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review.

Safety notes

  • An open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page.
  • AI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct.
  • A naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site.

Privacy notes

  • Open redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead.
  • Redirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review.

Prerequisites

  • A pull request, diff, or snippet containing AI-generated or AI-edited redirect, forward, or "return to" logic.
  • Knowledge of which query parameters, form fields, or stored values in the application currently feed a redirect destination.
  • Awareness of the app's trusted domain(s) so an allowlist check (if one is added) can be scoped correctly.
  • Permission to block merge when a redirect destination is taken from user input without being restricted to a relative path or a validated allowlist.

Schema details

Install type
copy
Troubleshooting
Yes
Collection metadata
Estimated setup
10 minutes
Difficulty
beginner
Full copyable content
You are reviewing AI-generated code for open redirect (unvalidated
redirect/forward) risk.

Rules:
1. Identify every redirect or forward whose destination is built from
   request input — a query parameter (`?url=`, `?next=`, `?returnUrl=`,
   `?redirect=`), a form field, a header, or a stored value the user can
   set — rather than a hardcoded, developer-chosen destination.
2. Prefer not taking a destination from the client at all: use a fixed
   redirect target, or an indexed/enum mapping (`"dashboard"` ->
   `/app/dashboard`) where the client sends a key, not a URL.
3. When a caller-supplied return destination is genuinely required (for
   example a post-login redirect), restrict it to a relative, same-origin
   path and reject any value that is an absolute URL, starts with `//`
   (protocol-relative), or contains a scheme (`http:`, `https:`,
   `javascript:`, etc.).
4. If an absolute URL destination is unavoidable, validate the host
   against an explicit allowlist of trusted domains — do not accept "the
   path contains our domain name" or a prefix/substring check, since
   `evil.com/mysite.com` and `mysite.com.evil.com` both satisfy a naive
   substring check.
5. Treat this as more than a phishing issue: an unvalidated redirect can
   also be chained to bypass an allowlist-based access control check (a
   WAF or gateway that trusts the first hop) or to forward a user to a
   privileged internal endpoint they should not reach directly.
6. Confirm any code that runs after the redirect call actually stops
   (`return`/`exit`/equivalent) — in some languages the redirect response
   header can be set without halting execution, letting the rest of the
   handler run for a client that ignores the redirect.

About this resource

Purpose

Use these rules when an AI coding assistant writes or edits code that redirects or forwards a request to a URL influenced by user input. The goal is to stop a generated "return to previous page," post-login redirect, or similar feature from becoming an open redirect that phishing campaigns or access-control bypasses can exploit.

This is a review policy, not an open-redirect tutorial. It tells reviewers what must be true about a generated redirect's destination handling before the change is safe to merge.

Review Inputs

Collect enough context to know where a redirect destination comes from and where it can send a user.

  • Every redirect, forward, or "return to" call the change adds or edits, and the exact source of its destination value (query parameter, form field, header, session/stored value).
  • Whether the destination is ever a full URL versus always a relative path within the application.
  • The application's trusted domain(s), if an allowlist check is relevant.
  • Whether anything executes on the server after the redirect response is issued.

Destination Validation Rules

  • Prefer a hardcoded or indexed-mapping destination over taking any part of the URL from the client. If the client only needs to pick from a small known set of destinations, send a key and look up the real path server-side.
  • When a caller-supplied return path is required, accept only a relative, same-origin path: reject values that are absolute URLs, start with // (protocol-relative, which browsers treat as absolute), or contain a scheme such as http:, https:, or javascript:.
  • If an absolute URL is unavoidable, validate the parsed hostname against an explicit allowlist of trusted domains — parse the URL and compare the host field exactly (or against an allowed-suffix list of real subdomains), never a raw substring/.includes()/prefix check on the whole URL string.
  • Reject malformed or unparseable URLs outright rather than falling back to a default that might still be attacker-influenced.

Impact And Chaining Rules

  • Treat an unvalidated redirect as more than a cosmetic risk: it can make phishing links look legitimate (the initial domain is trusted) and can be chained to bypass allowlist-based checks in a proxy, WAF, or gateway that only inspects the first hop.
  • Check whether a redirect is used as part of an authentication or authorization flow (OAuth callback, SSO return URL, "continue to" after login) — these are higher-impact targets because a successful redirect can be paired with credential phishing or token leakage.
  • Confirm the handler actually stops executing after issuing a redirect response; in some frameworks/languages, setting a Location header does not itself halt the rest of the function, so code intended to run "after redirect" can still execute for a client that doesn't follow it.

Merge Blockers

Block merge when any of these is true.

  • A redirect or forward destination is built directly from user input (query parameter, form field, header, stored value) with no restriction to a relative path or validated allowlist.
  • Destination validation uses a substring/prefix/.includes() check on the trusted domain instead of parsing the URL and comparing the actual host.
  • An authentication/SSO-related redirect (login return URL, OAuth callback) accepts an unvalidated destination.
  • Code intended to run after a redirect is issued does not actually stop execution when the redirect is set.

Review Checklist

  • {"task": "Destination source identified", "description": "Every redirect's destination source (client input vs. hardcoded/mapped) is identified"}
  • {"task": "Relative path preferred", "description": "User-influenced redirects are restricted to relative, same-origin paths where possible"}
  • {"task": "Allowlist for absolute URLs", "description": "Any absolute-URL destination is validated against a real parsed-host allowlist, not a substring check"}
  • {"task": "Protocol-relative and scheme rejected", "description": "Values starting with // or containing a scheme (javascript:, https:, etc.) are rejected as relative paths"}
  • {"task": "Auth-flow redirects scrutinized", "description": "Login/SSO/OAuth return-URL redirects get the strictest validation, not the general-purpose one"}
  • {"task": "Execution halts on redirect", "description": "No code intended to run only after a redirect executes for clients that ignore it"}

AI Review Rules

AI assistants can write and review redirect logic, but they should show their evidence.

  • Ask the assistant to list every redirect/forward in the change and the exact source of its destination value.
  • Require the assistant to state whether each destination is restricted to a relative path or validated against a real host allowlist, not just "checked."
  • Have the assistant show the allowlist check's exact comparison logic (not a substring/prefix check) when an absolute URL destination is accepted.
  • Do not let the assistant claim a redirect is safe because it "looks like" it points at the right domain in the happy-path example.
  • Re-run review after any change to authentication flows, SSO callbacks, or shared redirect helper functions.

Troubleshooting

  • A legitimate cross-subdomain redirect gets rejected: add the specific subdomain to the allowlist explicitly rather than loosening the check to a suffix or substring match that could also match attacker-registered lookalike domains.
  • The relative-path restriction breaks a valid external partner redirect: that destination needs its own reviewed, explicit allowlist entry — do not remove the restriction to accommodate one case.
  • Tests only cover a same-site redirect: add a test asserting that an off-site or protocol-relative (//evil.example) destination is rejected, not just that the happy-path destination works.
  • A redirect works even though a check was added: confirm the check actually runs before the redirect call and that the function returns/exits after a rejection instead of falling through to redirect anyway.

Duplicate And History Check

Before adding a new redirect destination check, confirm the codebase does not already have a shared "safe redirect" helper or allowlist. A generated change that builds a new ad hoc validation next to an existing shared helper should be treated as suspicious — check whether the existing mechanism was simply not reused before introducing a second, potentially inconsistent one.

Reference

Pattern Risk Fix
redirect(request.params.url) Destination fully attacker-controlled Indexed mapping or relative-path-only restriction
url.includes("trusted.com") trusted.com.evil.com and similar bypass it Parse URL, compare exact host against an allowlist
Login return URL from query string, unchecked Chainable with credential phishing Same-origin relative path only for auth-flow redirects
//evil.example accepted as "relative" Browsers treat // as protocol-relative (absolute) Reject any destination starting with //
Code after sendRedirect/header("Location") May still execute if the client ignores the redirect Explicit return/exit immediately after issuing it

Sources

  • OWASP Unvalidated Redirects and Forwards Cheat Sheet
  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  • PortSwigger Web Security Academy: DOM-based open redirection
  • PortSwigger: Open redirection (reflected) issue reference

Source citations

Add this badge to your README

Show that AI-Generated Open Redirect Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/rules/ai-generated-open-redirect-review-rules.svg)](https://heyclau.de/entry/rules/ai-generated-open-redirect-review-rules)

How it compares

AI-Generated Open Redirect Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Source-backed rules for reviewing AI-generated redirect and forward logic before merge for open redirect risk, covering allowlist-based destination validation, relative-path/indexed-mapping alternatives to raw URLs, and the privilege-escalation and phishing impact of an unvalidated redirect target.

Open dossier

Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions.

Open dossier

Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided.

Open dossier

Source-backed rules for reviewing AI-generated code that binds request parameters to model/entity objects before merge for mass assignment risk, covering allowlist field binding, DTOs that exclude sensitive fields, and the framework-specific autobinding features that make this easy to introduce by default.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDifferslourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryrulesrulesrulesrules
Sourcesource-backedsource-backedsource-backedsource-backed
Authorlourincedaging0-commitsjaso0n0818lourincedaging0-commitslourincedaging0-commits
Added2026-07-152026-06-222026-07-152026-07-15
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesAn open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page. AI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct. A naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site.A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it.Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces.Mass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields. AI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones. This is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter.
Privacy notesOpen redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead. Redirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review.CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards.Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit.Mass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system. Do not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead.
Prerequisites
  • A pull request, diff, or snippet containing AI-generated or AI-edited redirect, forward, or "return to" logic.
  • Knowledge of which query parameters, form fields, or stored values in the application currently feed a redirect destination.
  • Awareness of the app's trusted domain(s) so an allowlist check (if one is added) can be scoped correctly.
  • Permission to block merge when a redirect destination is taken from user input without being restricted to a relative path or a validated allowlist.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited request handler, form, or fetch call with enough context to know how the user is authenticated.
  • Knowledge of how the framework manages sessions and CSRF tokens, since built-in protection, cookie defaults, and token helpers differ between frameworks.
  • Awareness of which routes change state and which are read-only, so the review can focus on unsafe methods.
  • Permission to block merge when a cookie-authenticated state change ships without a CSRF defense.
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that deserializes, unpickles, unmarshals, or loads structured data from an external source.
  • Knowledge of which deserialization APIs the language/framework in use considers "safe" versus "native/unsafe" (this differs significantly between Python, Java, PHP, Ruby, and JS/Node).
  • Awareness of which data sources in the application are genuinely untrusted (client-supplied, cross-service, or user-uploaded) versus fully internal and controlled.
  • Permission to block merge when untrusted data reaches a native deserialization API without an allowlist or integrity check.
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that binds request data to a model, entity, or ORM object.
  • Knowledge of which fields on the affected model/entity are sensitive (admin/role flags, ownership references, financial fields, verification/status flags).
  • Familiarity with the specific framework's autobinding and allowlist/block-list mechanism in use, since the safe pattern differs meaningfully between Spring MVC, Rails, Mongoose/Node, Django, and hand-rolled binding code.
  • Permission to block merge when a request-to-model binding path can set a sensitive field with no allowlist, block-list, or DTO in place.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.