Will It Vibe logoWill It Vibe?
WEBSEC-004High severity-15 points

Server-side open redirect from request input (Python)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A Flask/Django redirect target is taken straight from request.args/form/GET, letting an attacker craft a phishing redirect link.

Why it matters

Passing request.args or request.form directly into redirect lets an attacker choose the destination. A link to your trusted domain then bounces the user to an attacker page, which is convincing for phishing and credential theft. The user sees your domain in the original link and trusts the flow.

How to fix it

Validate the redirect target before using it. Compare against an allowlist of known endpoints, or restrict it to same-site relative paths with urllib.parse (reject anything with a netloc or scheme). Werkzeug and Django both offer url_has_allowed_host_and_scheme style checks; use one and redirect to a safe default when the target fails.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks