Skip to main content

Redirect Domain Configuration

Anubis has an HTTP redirect in the middle of its check validation logic. This redirect allows Anubis to set a cookie on validated requests so that users don't need to pass challenges on every page load.

This flow looks something like this:

BackendValidationChallengeUserBackendValidationChallengeUserGET /Solve this challengeHere's the solution, send me to /Here's a cookie, go to /GET /

However, in some cases a sufficiently dedicated attacker could trick a user into clicking on a validation link with a solution pre-filled out. For example:

Evil SiteValidationUserHackerEvil SiteValidationUserHackerClick on yoursite.com with this solutionHere's a solution, send me to evilsite.comHere's a cookie, go to evilsite.comGET evilsite.com

If this happens, Anubis will throw an error like this:

Redirect domain not allowed

Configuring allowed redirect domains

By default, Anubis will limit redirects to be on the same HTTP Host that Anubis is running on (EG: requests to yoursite.com cannot redirect outside of yoursite.com). If you need to set more than one domain, fill the REDIRECT_DOMAINS environment variable with a comma-separated list of domain names that Anubis should allow redirects to.

note

These domains are an exact string match, they do not support wildcard matches.

# anubis.env

REDIRECT_DOMAINS="yoursite.com,secretplans.yoursite.com"
# ...