---
title: Route forwards POST data across API redirections
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Route forwards POST data across API
  redirections
---

# Route forwards POST data across API redirections
 
## Description{% #description %}

An API endpoint forwards POST data across redirections from external APIs. When an application follows an HTTP redirect and resends the original POST body to the new destination, sensitive data such as credentials, tokens, or personally identifiable information may be unintentionally leaked to an untrusted third party. This behavior may happen when the server returns a 307 or 308 status code.

## Rationale{% #rationale %}

This finding works by identifying an API route that accepts 307 or 308 redirections from a third party API call.

## Remediation{% #remediation %}

- Configure HTTP clients to not forward POST bodies across redirections
- Implement explicit redirect handling that validates the target and strips sensitive data before following
- Ensure that sensitive data is only sent to explicitly trusted endpoints

### References{% #references %}

| Reference                                                                                                                         | Description                                                       |
| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| [OWASP API10:2023 - Unsafe Consumption of APIs](https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/) | OWASP API Security guidance on safely consuming third-party APIs. |