Topics

All topics

Configure redirect validation

Sitefinity CMS comes with an out of the box mechanism for preventing unvalidated redirects and forwards. The unvalidated redirects and forwards vulnerability is also known as Open Redirect. Open Redirect can occur if the URL parameters in an HTTP GET request contain instructions to redirect the user to a different website. Attackers often use this vulnerability to redirect users (for example after certain action like login) to malicious third-party websites that often mimic the original website’s look and domain name. This way an attacker can mislead the user in providing sensitive information.
The Sitefinity CMS redirect validation mechanism is part of the Web security module. It protects your website (both frontend and backend) against Open Redirect vulnerabilities. If the web security module detects an attacker attempts to inject a redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays the following warning screen:

The warning screen informs users about the detected redirect and provides further information about the redirect URL parameters. Users can decide whether to proceed to the redirecting page or return to your Sitefinity CMS website home page.

Redirect validation settings

To access the redirect validation configuration, perform the following:

In Sitefinity CMS backend, navigate to Administration » Settings » Advanced.
In the tree on the left, expand WebSecurity and click on RedirectValidation

You can control the redirect validation behavior by modifying the following properties:

Disable centralized redirect validation
This property controls whether the Redirect validation mechanism is enabled. When checked, the centralized redirect validation does not verify if external redirects lead to trusted sites or not.

NOTE: By default, the redirect validation mechanism is enabled for all new websites created with Sitefinity CMS version 11.1 and later. For websites upgraded to Sitefinity CMS 11.1 and later you need to manually enable the redirect validation.
Trusted locations
This property enables you to specify a comma-separated list of domains that you consider trusted. The redirect validation mechanism will not display the warning screen when it detects external redirects to these domains. By default, the website domains, included in your Sitefinity CMS license are considered trusted.

Additional resources

External links

CWE for OpenRedirect:
http://cwe.mitre.org/data/definitions/601.html
OWASP Unvalidated Redirects and Forwards Cheat Sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Web Security for Sitefinity Administrators

The free standalone Web Security lesson teaches administrators how to protect your websites and Sitefinity instance from external threats. Learn to configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel

Configure referrer validation