{"id":16979355,"url":"https://github.com/marcl/secure-redirects","last_synced_at":"2026-05-03T12:38:44.916Z","repository":{"id":71372442,"uuid":"74132018","full_name":"MarcL/secure-redirects","owner":"MarcL","description":"🔐 Express middleware to secure open redirects.","archived":false,"fork":false,"pushed_at":"2016-12-06T22:27:05.000Z","size":26,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-10T22:15:26.608Z","etag":null,"topics":["express-middleware","nodejs","npm","redirection","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MarcL.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-11-18T13:29:39.000Z","updated_at":"2017-02-17T14:09:48.000Z","dependencies_parsed_at":"2023-03-11T10:25:19.186Z","dependency_job_id":null,"html_url":"https://github.com/MarcL/secure-redirects","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/MarcL/secure-redirects","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcL%2Fsecure-redirects","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcL%2Fsecure-redirects/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcL%2Fsecure-redirects/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcL%2Fsecure-redirects/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MarcL","download_url":"https://codeload.github.com/MarcL/secure-redirects/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcL%2Fsecure-redirects/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32569714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T06:36:36.687Z","status":"ssl_error","status_checked_at":"2026-05-03T06:36:09.306Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["express-middleware","nodejs","npm","redirection","security"],"created_at":"2024-10-14T01:45:34.913Z","updated_at":"2026-05-03T12:38:44.895Z","avatar_url":"https://github.com/MarcL.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secure-redirects\n\n\u003e An Express middleware to stop unvalidated redirects and forwards.\n\n[![Build Status](https://travis-ci.org/MarcL/secure-redirects.svg?branch=master)](https://travis-ci.org/MarcL/secure-redirects)\n[![Coverage Status](https://coveralls.io/repos/github/MarcL/secure-redirects/badge.svg?branch=master)](https://coveralls.io/github/MarcL/secure-redirects?branch=master)\n\n## Installation\n\n```\nnpm install --save secure-redirects\n```\n\n## Why should I secure my Express redirects?\n\nhttps://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards\n\n## API\n\n```js\nvar secureRedirects = require('secure-redirects');\n```\n\n### secureRedirects(options)\n\nCreate a new `secureRedirects` middleware by using the default options. By default, you don't need to pass any options into it and it will lock your redirects to your current domain. This happens by comparing the redirection URL host against the current host to see if they differ.\n\n#### options.validator\n\nIf you need custom functionality then you can pass in a custom validator function. This should be a function which returns a boolean which should be `true` if the redirection host is valid or `false` if the redirection host is invalid. The redirection hostname and the current hostname will be passed to the validator.\n\n```js\nvar secureRedirects = require('secure-redirects');\n\nvar options = {\n    // Only allow redirection to google.com\n    validator: function(redirectHostname, currentHostname) {\n        return (redirectHostname === 'google.com');\n    }\n};\n\napp.use(secureRedirects(options));\n```\n\n#### options.logger\n\nThe logger defaults to `console` but you can pass another logger object, such as [Winston](https://github.com/winstonjs/winston) into the options if required. The logger is assumed to contain a `warn` property which is called if the redirection URL is being re-written.\n\n```js\nvar secureRedirects = require('secure-redirects');\n\nvar options = {\n    logger: myCustomLogger\n};\n\napp.use(secureRedirects(options));\n```\n\n#### options.redirectUrl\n\nBy default the middleware will redirect to the root of the domain that the Express server is running on. You can override this behaviour by passing a specified redirection url as part of the options.\n\n```js\nvar secureRedirects = require('secure-redirects');\n\n// Redirect to https://twitter.com if bad redirect is encountered\nvar options = {\n    redirectUrl: 'https://twitter.com'\n};\n\napp.use(secureRedirects(options));\n```\n\n### secureRedirect()\n\nCreate a new `secure-redirect` Express middleware which stops insecure redirects outside of the current domain.\n\n## Example\n\nSimple app that will not allow redirects outside of the current domain\n\n```js\nvar express = require('express')\nvar secureRedirects = require('secure-redirects')\n\nvar app = express()\n\napp.use(secureRedirects())\n\napp.get('/', function (request, response) {\n    response.send('hello, world!')\n})\n\napp.get('/bad-redirect', function (request, response) {\n    response.redirect('https://google.com');\n})\n\napp.get('/bad-user-redirect', function (request, response) {\n    var redirectUrl = request.query.url;\n    response.redirect(redirectUrl);\n})\n```\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcl%2Fsecure-redirects","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarcl%2Fsecure-redirects","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcl%2Fsecure-redirects/lists"}