Redirect Hijack Prevention

What this section covers

Redirect vulnerabilities occur when attackers manipulate URL redirects to send users to malicious sites or intercept traffic. This guide covers common redirect attack patterns and mitigation strategies.

Why redirect security matters

Redirect vulnerabilities enable:

• Phishing attacks: Legitimate-looking URLs redirecting to fake login pages
• Malware distribution: Redirects to drive-by download sites
• SEO hijacking: Manipulating search rankings via redirect chains
• Session hijacking: Intercepting authentication tokens during redirects

Common redirect vulnerabilities

Open redirect vulnerability

Unvalidated redirect parameters:

# Vulnerable pattern:
https://example.com/redirect?url=https://attacker.com

# Attacker exploitation:
https://trusted-site.com/go?next=https://phishing-site.com/fake-login

Users see trusted-site.com but end up on phishing-site.com.

Redirect chain hijacking

Manipulating multi-hop redirects:

1. User clicks: https://site-a.com/link
2. Redirects to: https://site-b.com/proxy
3. Redirects to: https://attacker.com (hijacked)

Meta refresh exploitation

HTML-based redirects:

<meta http-equiv="refresh" content="0;url=https://attacker.com">

Less obvious than HTTP redirects, harder to filter.

Prevention strategies

1. Whitelist allowed destinations

Only redirect to known-safe domains:

const allowedHosts = [
  'wplus.net',
  'legion.wplus.net',
  'adsl.wplus.net'
];

function validateRedirect(url) {
  const destination = new URL(url);
  return allowedHosts.includes(destination.hostname);
}

2. Use relative URLs

Where possible, avoid external redirects:

# Safe:
Location: /infrastructure/
Location: ../operations/

# Requires validation:
Location: https://external-site.com/

3. Signed redirect tokens

For necessary external redirects:

# Generate token:
token = HMAC-SHA256(destination + secret + expiry)

# Verify before redirecting:
https://wplus.net/out?url=example.com&token=abc123&expires=timestamp

4. Content Security Policy

Restrict where pages can redirect:

Content-Security-Policy: navigate-to 'self' https://wplus.net

Cloudflare-specific protections

Worker redirect validation

// Cloudflare Worker example
addEventListener('fetch', event => {
  event.respondWith(handleRedirect(event.request));
});

async function handleRedirect(request) {
  const url = new URL(request.url);
  const destination = url.searchParams.get('url');
  
  // Validate destination
  if (!isSafeDomain(destination)) {
    return new Response('Invalid redirect', { status: 400 });
  }
  
  return Response.redirect(destination, 302);
}

_redirects file rules

Static redirect configurations:

# Safe internal redirects:
/old-path/  /new-path/  301

# External redirects with validation:
/go/cloudflare  https://cloudflare.com  302

# Block open redirect patterns:
/redirect*  /redirect-blocked  403

Detection and monitoring

Log analysis

Watch for suspicious patterns:

• High redirect volumes to single destination
• Redirects to recently-registered domains
• Unusual referrer patterns
• Redirect loops (A→B→A)

Security headers

Set protective headers on redirect responses:

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

Safe redirect patterns

Internal navigation

<!-- Safe: relative URL -->
<a href="/operations/">Operations Hub</a>

<!-- Safe: same-origin absolute -->
<a href="https://wplus.net/security/">Security Hub</a>

External links (not redirects)

<!-- Safe: direct link with warning -->
<a href="https://external-site.com" 
   rel="noopener noreferrer" 
   target="_blank">
  External Resource ↗
</a>

Verified exit pages

For tracking external links:

https://wplus.net/exit-warning?destination=external-site.com

Interstitial page warning users they're leaving site.

Related sections

• Operations hub — Monitoring suspicious activity
• Infrastructure hub — CDN and edge security
• Legal hub — Liability considerations

Technical glossary

Open redirect : Vulnerability allowing unvalidated destination parameter in redirects

Redirect chain : Series of HTTP redirects from origin to final destination

Meta refresh : HTML-based redirect using <meta> tag instead of HTTP headers

HMAC : Hash-based Message Authentication Code for signing data

Phishing : Deceptive practice of impersonating trusted sites to steal credentials