Open redirect protection middleware for snicco/http-routing

This middleware protects your application against open redirects.

It inspects the location header of the response and disallows any redirects to non-whitelisted external hosts.

Instead, the user will be redirected to the configured "exit" page. The intended redirect location will be available in a intented_redirect query variable.

Installation

composer require snicco/open-redirect-protection-middleware

Usage

This middleware should be added globally in the MiddlewareResolver.

The OpenRedirectProtection middleware must be bound in the PSR-11 container that is used by the snicco/http-routing component.

use Snicco\Middleware\OpenRedirectProtection\OpenRedirectProtection;

// In your PSR-11 container.
$open_redirect_protection = new OpenRedirectProtection(
    'snicco.io', // the host of your application
    '/exit', // the page path
    [
        'stripe.com',
        'accounts.stripe.com'    
    ] // Whitelisted domains.
)

Contributing

This repository is a read-only split of the development repo of the Snicco project.

This is how you can contribute.

Reporting issues and sending pull requests

Please report issues in the Snicco monorepo.

Security

If you discover a security vulnerability, please follow our disclosure procedure.