Redirecting/rickrolling intruders

Unvalidated redirects do not necessarily apply here. An unvalidated redirect is something more along the lines of an attacker being able to send a victim to a destination of the attacker's choosing. If you read the example on the OWASP page you linked at the bottom, you will see that the attacker crafts a URL that can be sent to a victim using social engineering or otherwise. A static redirect coming from a server is a completely different scenario.

While rickrolling an attacker may seem amusing, legitimate users would be quite confused if they are given a link to your site which automatically rickrolls them, decreasing the user's trust.


All of the examples in the page you link are talking about cases where the user supplies all or part of the URL to be redirected to - unless I'm missing something about the Node.js package you linked, the parameter is supplied in the server configuration, so it is not vulnerable to exploits related to parameters passed by an attacker. Assuming no malicious user has control of your site (in which case, there are a myriad ways they can force a user to redirect to a site they control anyway), I don't see how this could introduce a vulnerability. That said, you will need to be very careful to only give it URLs which users would never hit legitimately or through mistaken typing.