---
title: Route follows redirections from external APIs
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Route follows redirections from
  external APIs
---

# Route follows redirections from external APIs
 
## Description{% #description %}

An API endpoint follows redirections from external APIs. When an application automatically follows HTTP redirects returned by a third-party API, it may be tricked into sending requests to unintended or malicious destinations. An attacker who controls or compromises the external API could redirect your application to internal services, exposing sensitive data or enabling server-side request forgery (SSRF).

## Rationale{% #rationale %}

This finding works by identifying an API route that follows HTTP redirections (3xx responses) when communicating with external APIs, rather than handling them explicitly.

## Remediation{% #remediation %}

- Disable automatic redirect following for HTTP clients calling external APIs
- If redirections must be followed, validate the target URL against an allowlist before following
- Log and monitor unexpected redirections for anomaly detection

### References{% #references %}

| Reference                                                                                                                         | Description                                                       |
| --------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| [OWASP API10:2023 - Unsafe Consumption of APIs](https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/) | OWASP API Security guidance on safely consuming third-party APIs. |