Configure redirect validation

Sitefinity CMS comes with an out of the box mechanism for preventing unvalidated redirects and forwards. The unvalidated redirects and forwards vulnerability is also known as Open Redirect. Open Redirect can occur if the URL parameters in an HTTP GET request contain instructions to redirect the user to a different website. Attackers often use this vulnerability to redirect users (for example after certain action like login) to malicious third-party websites that often mimic the original website’s look and domain name. This way an attacker can mislead the user in providing sensitive information.
The Sitefinity CMS redirect validation mechanism is part of the Web security module. It protects your website (both frontend and backend) against Open Redirect vulnerabilities. If the web security module detects an attacker attempts to inject a redirection to a domain that’s not configured as trusted, it intercepts this attempt and displays the following warning screen:

OpenRedirectWarningScreen

The warning screen informs users about the detected redirect and provides further information about the redirect URL parameters. Users can decide whether to proceed to the redirecting page or return to your Sitefinity CMS website home page.

Redirect validation settings

To access the redirect validation configuration, perform the following:

  1. In Sitefinity CMS backend, navigate to Administration » Settings » Advanced.
  2. In the tree on the left, expand WebSecurity and click on RedirectValidation

You can control the redirect validation behavior by modifying the following properties:

  • Disable centralized redirect validation
    This property controls whether the Redirect validation mechanism is enabled. When checked, the centralized redirect validation does not verify if external redirects lead to trusted sites or not.
    NOTE: By default, the redirect validation mechanism is enabled for all new websites created with Sitefinity CMS version 11.1 and later. For websites upgraded to Sitefinity CMS 11.1 and later you need to manually enable the redirect validation.
  • Trusted locations
    This property enables you to specify a comma-separated list of domains that you consider trusted. The redirect validation mechanism will not display the warning screen when it detects external redirects to these domains. By default, the website domains, included in your Sitefinity CMS license are considered trusted.

Additional resources

External links

Was this article helpful?