According to a Google's post: Open redirect URLs: Is your site being abused?
If your website does have a genuine need to provide URL redirects, you can properly hash the destination URL and then include that cryptographic signature as another parameter when doing the redirect. That allows your own site to do URL redirection without opening your URL redirector to the general public.
I have the following questions:
- Do we create signatures at the client side and send it over to the server side?
- How do we validate the signature on the server side?
- What does without opening your URL redirector to the general public mean?
Thanks in advance!
Aucun commentaire:
Enregistrer un commentaire