Redirect Security
Linking from one page to another is a security risk you should consider. For example, you may have placed a link in your URL to redirect users to different locations within your site.
Typically, these are links to other files on your site but they can also be links to another interface, either on your site or on an external site. Attackers can take advantage of redirects by creating URL links in these locations:
- Questions on your page
- Uploaded files
- Emails
In each of these scenarios, an attacker bets that users will click the link they create and be redirected to an external site where data can be maliciously harvested.
To protect your site from this type of attack, you can set the value of the CP_REDIRECT_HOSTS configuration setting to a list of interface domains that are legitimate redirect targets. The default value is blank, which limits redirects to pages only within your interface domain. Keep in mind that redirects to domains specified in related configuration settings are implicitly allowed.
This table displays sample values for CP_REDIRECT_HOSTS.
| Value | Meaning |
|---|---|
| Blank | Prevents all redirects outside of your interface. (Default) |
| * | Allows all redirects. (Not recommended.) |
| *.example.com | Allows redirects to all sites in the example.com domain. |
| one.example.com, two.example.com | Allows redirects to sites one and two in the example.com domain. |
| example.custhelp.com, *.test.com | Allows redirects to example.custhelp.com and any interface in the test.com domain. |
For information about securely publishing answer links on your site, see Email Security.