Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

1. Redirects that carry large response bodies may expose sensitive data in the Location header or response body before the browser follows the redirect.

2. Audit all redirect responses (301, 302, 307, 308) and ensure:

   • The response body is empty or minimal.
   • No session tokens, personal data, or internal paths appear in the Location URL.
   • Query parameters in redirect targets are stripped or anonymised where possible.

3. In PHP:

   header('Location: /destination', true, 302);
   exit; // Always exit immediately after a redirect to prevent body output.