| Option | ALLOWED_REDIRECT_TARGET_DOMAINS | |
| Description | Specifies which domains are permitted as redirect targets after authentication or other redirect operations. This security setting prevents open redirect vulnerabilities by restricting where users can be redirected after login or other operations. | |
This setting is often used with authentication provider configurations, load balancer and reverse proxy settings, and network firewall and security group rules.
Only add trusted domains to this list. Allowing untrusted domains can create security vulnerabilities that attackers could exploit to redirect users to malicious sites.
Use commas (,) to separate multiple domains. Avoid wildcard patterns unless absolutely necessary. And use specific subdomains rather than top-level domains when possible. Domains can include:
Hostnames with optional ports:
example.com,app.example.com:8080Localhost addresses:
localhost:3000,127.0.0.1:8080CDN and cloud service domains:
d295ft4mxtyrgs.cloudfront.netIP addresses with ports:
192.168.1.100:3000
An example configuration is:
"localhost:3000,d295ft4mxtyrgs.cloudfront.net,humio-ci-frontend-deployment.s3-website.eu-central-1.amazonaws.com".
And an example multi-environment configuration is:
"localhost:3000,staging.mycompany.com,app.mycompany.com,myapp.s3-website.us-east-1.amazonaws.com"
When this setting is not configured or empty only the current domain is allowed as a redirect target. External redirects will be blocked and may result in authentication errors. Check application logs for "redirect target not allowed" messages.
Changes take effect after restart. There is no performance impact for reasonable domain list sizes (<100 domains).