High impact. If this is found on your site, treat it as urgent. It can lead to real damage and is worth fixing before anything else.
What it is
Expired, self-signed, or soon-to-expire certificates and missing HTTP→HTTPS redirects.
How attackers abuse it
Your site redirects to a URL from the user, so an attacker sends a link that looks like your domain but lands the victim on a phishing or malware site.
Attacker playbook
- 1Find a redirect parameter (return, next, url).
- 2Set it to an external attacker site.
- 3Share the link; victims trust your domain and get redirected.
How VibeSec detects and confirms it
VibeSec checks for this with a passive, read-only scan that is safe to run on any site. We use VibeSec native and base the finding only on what your site already exposes publicly.
VibeSec native
If this is in your report: how to fix it
- Redirect only to an allow-list of known paths.
- Do not accept full URLs from users for redirects.
- If external redirects are needed, show an interstitial warning.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free// related capabilities