no-insecure-redirects

Keywords: no insecure redirects, security, ESLint rule, JavaScript, TypeScript, CWE-601

ESLint Rule: no-insecure-redirects. This rule is part of eslint-plugin-secure-coding.

Quick Summary

Vulnerability and Risk

Vulnerability: Insecure redirects (also known as Open Redirects) occur when an application redirects the user to a URL specified by untrusted user input without validation.

Risk: Attackers can redirect users to phishing sites (to steal credentials) or malicious sites (to download malware), leveraging the trust the user has in the original domain.

Rule Details

Why This Matters

Configuration

No configuration options available.

Examples

❌ Incorrect

// Example of incorrect usage

✅ Correct

// Example of correct usage

Configuration Examples

Basic Usage

// eslint.config.mjs
export default [
  {
    rules: {
      'secure-coding/no-insecure-redirects': 'error',
    },
  },
];

LLM-Optimized Output

🚨 no insecure redirects | Description | MEDIUM
   Fix: Suggestion | Reference

Related Rules

• rule-name - Description

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Values from Variables

Why: Values stored in variables are not traced.

// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);

Mitigation: Validate all user inputs.

Wrapper Functions

Why: Custom wrappers not recognized.

// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internally

Mitigation: Apply rule to wrapper implementations.

Dynamic Invocation

Why: Dynamic calls not analyzed.

// ❌ NOT DETECTED - Dynamic
obj[method](userInput);

Mitigation: Avoid dynamic method invocation.

Further Reading

• OWASP Unvalidated Redirects Cheat Sheet - Protection guide
• CWE-601: URL Redirection to Untrusted Site - Official CWE entry