Securing PHP Applications Against Open Redirect Vulnerabilities

By Alessandro D.P.2 min readMarch 27, 2026

Open redirects can be particularly dangerous because they can be exploited to trick users into visiting harmful sites that appear legitimate. By the end of this article, you will understand how to implement safe redirection practices in your PHP applications.

Understanding Open Redirects

An open redirect vulnerability typically arises from a lack of validation on URLs provided by users. For instance, consider the following PHP code snippet:

<?php
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
exit();
?>

In this example, if a user provides a URL like http://malicious-site.com, the application will redirect the user to that site, potentially leading to phishing attacks.

Identifying Open Redirects

To identify open redirect vulnerabilities, you can perform the following steps:

Review the Code: Look for instances where user input is used in redirection logic without validation.
Test Input: Try providing various URLs to see if the application redirects to them.
Check Logs: Monitor access logs for unusual redirect patterns.

Mitigating Open Redirect Vulnerabilities

To secure your application against open redirects, follow these best practices:

1. Whitelist Valid Redirect URLs

One of the most effective ways to prevent open redirects is to maintain a whitelist of allowed URLs. Here’s how to implement this in PHP:

<?php
$allowed_urls = [
    'https://example.com/home',
    'https://example.com/dashboard',
    'https://example.com/profile'
];

$redirect_url = $_GET['url'];

if (in_array($redirect_url, $allowed_urls)) {
    header("Location: " . $redirect_url);
    exit();
} else {
    // Redirect to a safe default page
    header("Location: https://example.com/home");
    exit();
}
?>

2. Use Relative URLs

If possible, use relative URLs instead of absolute URLs. This limits the redirection to your own domain:

<?php
$redirect_path = $_GET['path'];

if (preg_match('/^\/(home|dashboard|profile)$/', $redirect_path)) {
    header("Location: " . $redirect_path);
    exit();
} else {
    header("Location: /home");
    exit();
}
?>

3. Encode URLs

If you must use user-controlled URLs, ensure they are properly encoded to prevent injection attacks:

<?php
$redirect_url = filter_input(INPUT_GET, 'url', FILTER_SANITIZE_URL);

if (filter_var($redirect_url, FILTER_VALIDATE_URL)) {
    header("Location: " . htmlspecialchars($redirect_url));
    exit();
} else {
    header("Location: https://example.com/home");
    exit();
}
?>

4. Implement Logging

Implement logging for redirection attempts to monitor for suspicious activity. This can help you identify potential abuse:

<?php
$redirect_url = $_GET['url'];
$log_file = 'redirect_log.txt';

if (filter_var($redirect_url, FILTER_VALIDATE_URL)) {
    file_put_contents($log_file, date('Y-m-d H:i:s') . " - Redirecting to: " . $redirect_url . "\n", FILE_APPEND);
    header("Location: " . htmlspecialchars($redirect_url));
    exit();
} else {
    header("Location: https://example.com/home");
    exit();
}
?>

Summary of Best Practices

Best Practice	Description
Whitelist URLs	Only allow redirection to a predefined set of URLs.
Use Relative URLs	Limit redirection to paths within your own domain.
Encode URLs	Sanitize and encode URLs to prevent injection attacks.
Implement Logging	Log redirection attempts for monitoring and analysis.

By following these practices, you can significantly reduce the risk of open redirect vulnerabilities in your PHP applications.