Security
SecurityMedium

Open Redirects

Checks for URL parameters that redirect to arbitrary external domains — phishing helper.

What this check measures

We probe common redirect parameters (`?redirect=`, `?url=`, `?next=`) with an external domain value. If the site 302s to our external URL without validation, it's an open redirect.

Why it matters

Open redirects are phishing's best friend: attackers craft URLs like `yoursite.com/login?redirect=https://evil.com`. Users trust the yoursite.com domain, click, and get redirected to a clone. Also bypasses email link filters.

search

How our audit detects it

POST and GET common redirect endpoints with external URL values. Verify the response redirects to our external value.

Typical findings

  • error_outline/login?redirect=https://evil.com — unvalidated.
  • error_outline/sso?returnUrl=... accepts any value.
  • error_outlineLogout endpoint redirects to any URL the client requests.

How to fix

Validate redirect URLs against an allowlist of known paths or same-origin hosts. Reject any absolute external URL. If cross-domain redirects are required, maintain a static allowlist.

Frequently asked questions

Is this really exploitable?expand_more
Yes — Microsoft, Google, banks have all had open-redirect CVEs. Reward programs pay for them. Easy to fix, real impact.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward