Unvalidated Redirects and Forwards
- Avoid using request parameters as part of a forward or redirect.
- Where a request parameter must be used as part of a forward or redirect, validate it and ensure that the user is authorised for the resulting URL.
- Where possible, use a server-side mapping from the request parameter to the value used for the forward or redirect.