feat: add docs about open redirect prevention

expressjs · Mar 22, 2024 · 19e7de3 · 19e7de3
1 parent 9afb599
commit 19e7de3
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/_includes/api/en/4x/res-location.md b/_includes/api/en/4x/res-location.md
@@ -10,6 +10,8 @@ res.location('back')
 
 A `path` value of "back" has a special meaning, it refers to the URL specified in the `Referer` header of the request. If the `Referer` header was not specified, it refers to "/".
 
+See also our [security best practices around user input validation to prevent open redirect vulnerabilities](http://expressjs.com/en/advanced/best-practice-security.html#prevent-open-redirects). 
+
 <div class='doc-box doc-warn' markdown="1">
 After encoding the URL, if not encoded already, Express passes the specified URL to the browser in the `Location` header,
 without any validation.

diff --git a/_includes/api/en/4x/res-redirect.md b/_includes/api/en/4x/res-redirect.md
@@ -51,3 +51,6 @@ defaulting to `/` when the referer is missing.
 ```js
 res.redirect('back')
 ```
+
+See also our [security best practices around user input validation to prevent open redirect
+vulnerabilities](http://expressjs.com/en/advanced/best-practice-security.html#prevent-open-redirects). 
diff --git a/en/advanced/best-practice-security.md b/en/advanced/best-practice-security.md
@@ -44,6 +44,31 @@ You may be familiar with Secure Socket Layer (SSL) encryption. [TLS is simply th
 
 Also, a handy tool to get a free TLS certificate is [Let's Encrypt](https://letsencrypt.org/about/), a free, automated, and open certificate authority (CA) provided by the [Internet Security Research Group (ISRG)](https://www.abetterinternet.org/).
 
+## Do Not Trust User Input
+
+For web applications one of the most critical security requirements is proper user input validation and handling. This comes in many forms and we will not cover all of them here.
+Ultimately the responsibility for validating and correctly handling the types of user input your application accepts. Here are a few examples of validating user input specifically
+using a few `express` apis.
+
+### Prevent Open Redirects
+
+Open Redirects are when a web server accepts a url as user input (often in the url query, ex. `?url=https://example.com`) and uses `res.redirect` to set the `location` header and
+return a 3xx status. When doing this, your application is required to validate the incoming user input is a url you support redirecting to. If you do not it can result in malicious
+links sending users to phishing websites among other risks. Here is an example check you should do before using `res.redirect` or `res.location` on with user input:
+
+```js
+app.use((req, res) => {
+  try {
+    if (new Url(req.query.url).host === 'example.com') {
+      return res.status(400).end(`Unsupported redirect to host: ${req.query.url}`)
+    }
+  } catch (e) {
+    return res.status(400).end(`Invalid url: ${req.query.url}`)
+  }
+  res.redirect(req.query.url)
+})
+```
+
 ## Use Helmet
 
 [Helmet][helmet] can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately.