---
title: Protect Against Open Redirects
impact: MEDIUM
impactDescription: prevents phishing redirect attacks
tags: redirect, phishing, url, security, csharp
---

## Protect Against Open Redirects

Open redirects allow attackers to use your domain to redirect users to malicious sites, facilitating phishing attacks.

**Incorrect (unvalidated redirect):**

```csharp
[HttpGet]
public IActionResult Login(string returnUrl)
{
    // ... login logic ...
    return Redirect(returnUrl); // Attacker can send ?returnUrl=http://evil.com
}
```

**Correct (validated redirect):**

```csharp
[HttpGet]
public IActionResult Login(string returnUrl)
{
    // ... login logic ...

    // Use LocalRedirect to enforce local URLs
    if (Url.IsLocalUrl(returnUrl))
    {
        return LocalRedirect(returnUrl);
    }
    
    // Or validate against allow list
    if (IsAllowedUrl(returnUrl))
    {
        return Redirect(returnUrl);
    }

    return RedirectToAction("Index", "Home");
}
```

**Tools:** Roslyn Analyzers, SonarQube