Backend safety

safe-redirect

Flag redirects derived from request input (open redirect / phishing path).

Covers Express, Koa, Fastify, and Next.js redirect surfaces. Only fires when the redirect target hits a well-known untrusted property path (`query`/`body`/`params`/`headers`/`cookies`/`url`/`nextUrl`) — server-loaded resources like `req.user.id` and `req.pet.id` stay quiet so canonical "redirect to your own profile" code doesn't dominate.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

res.redirect(req.query.next);

Good:

res.redirect(allowedNextUrls[req.query.next] ?? '/');

Related rules

• no-ssrfFlag outbound HTTP calls whose URL is derived from request input (CWE-918).
• no-path-traversalFlag `fs.readFile` / `path.join` / `res.sendFile` with request-sourced input (CWE-22).
• secure-cookiesRequire httpOnly / secure / sameSite on `res.cookie` / `reply.setCookie` / `cookies().set`.

Use it

Enable safe-redirect in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/safe-redirect': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules