Remediation Steps

Follow the steps below to remediate this finding on Drupal.

1. Audit any custom redirect logic in hook_form_submit or EventSubscriber implementations.

2. Use the Drupal redirect service:

   $response = new \Symfony\Component\HttpFoundation\RedirectResponse($url);
   $response->send();
   exit;

3. Review the Redirect module configuration to ensure destination URLs do not contain sensitive tokens.