Middleware & Security

Open Redirect Protection

How it works

A redirect destination is considered safe if:

  • It is a relative path (/dashboard, ../profile) — always safe
  • The host is localhost or loopback (localhost, 127.x.x.x, [::1], IPv4-mapped IPv6) — always safe
  • The host matches an entry in with_allowed_hosts (exact or wildcard subdomain)

Any other absolute URL is blocked with HTTP 400.

Configuration

No dedicated configuration — the middleware reads with_allowed_hosts automatically:

.middleware(|m| {
    m.with_allowed_hosts(|h| {
        h.enabled(true)
         .host("example.com")
         .host(".example.com")  // example.com + all subdomains
    })
})

The open redirect middleware is always active and uses the same host list.

Protocol-relative URLs

URLs starting with // (e.g. //evil.com/path) are treated as absolute and subject to the same check. They are blocked unless the host is in the allowed list.