Configure redirect validation

Sitefinity CMS comes with an out of the box mechanism for preventing unvalidated redirects and forwards. The unvalidated redirects and forwards vulnerability is also known as Open Redirect. Open Redirect can occur if the URL parameters in an HTTP GET request contain instructions to redirect the user to a different website. Attackers often use this vulnerability to redirect users (for example after certain action like login) to malicious third-party websites that often mimic the original website’s look and domain name. This way an attacker can mislead the user in providing sensitive information.
The Sitefinity CMS redirect validation mechanism is part of the Web security module. It protects your website (both frontend and backend) against Open Redirect vulnerabilities. If the web security module detects an attacker attempts to inject a redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays the following warning screen:


The warning screen informs users about the detected redirect and provides further information about the redirect URL parameters. Users can decide whether to proceed to the redirecting page or return to your Sitefinity CMS website home page.

Redirect validation settings

To access the redirect validation configuration, perform the following:

  1. In Sitefinity CMS backend, navigate to Administration » Settings » Advanced.
  2. In the tree on the left, expand WebSecurity and click on RedirectValidation

You can control the redirect validation behavior by modifying the following properties:

  • Disable centralized redirect validation
    This property controls whether the Redirect validation mechanism is enabled. When checked, the centralized redirect validation does not verify if external redirects lead to trusted sites or not.
    NOTE: By default, the redirect validation mechanism is enabled for all new websites created with Sitefinity CMS version 11.1 and later. For websites upgraded to Sitefinity CMS 11.1 and later you need to manually enable the redirect validation.
  • Trusted locations
    This property enables you to specify a comma-separated list of domains that you consider trusted. The redirect validation mechanism will not display the warning screen when it detects external redirects to these domains. By default, the website domains, included in your Sitefinity CMS license are considered trusted.

Additional resources

External links

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?