System Design Coach
Back to Practical System Design Tips

Handle bot scans and open redirects: two practical fixes

By Ehsan Faruque
4 min read

If your software lives on the public internet, sooner or later you'll see requests like this in your logs:

GET /.env
GET /store/.env
GET /shop/.env
User-Agent: python-httpx/0.28.1

These are automated bots scanning for common misconfigurations like:

  • Leaked environment variables
  • Misconfigured deployments
  • Accidental exposure of secrets or backups

You can't stop this automated scanning. But you can control how your app responds.

Here are two practical ways to handle the noise:

1. Don't redirect junk paths: return 404

Many modern frameworks default to redirecting unauthenticated traffic to sign-in.

So, when a bot requests `/.git/config` or random `.php` files, your server responds with a 307 Redirect to `/auth/signin`.

That feels safe, but it's actually wasteful. It:

  • Encourages scanners to keep probing (because they get a "live" response).
  • Turns one bad request into two.
  • Adds unnecessary auth and render work.

The Fix: If a path should never exist in your app, return a plain 404. 404 means "nothing here." Scanners move on.

2. Block open redirects (even if you think you're safe)

Automated bots often hunt for URL patterns like: `/auth/signin?redirectTo=...`

If you blindly trust that `redirectTo` parameter, you are vulnerable.

How? It allows attackers to "borrow" your domain's credibility. They can send a phishing email with a link like `https://yoursite.com/auth/signin?redirectTo=https://evil.com`. The user sees your domain, trusts it, clicks, and is immediately bounced to a malicious site to have their credentials stolen.

The Fix: Never trust user input in redirects.

  • Only allow redirects to relative paths (e.g., `/dashboard`).
  • Or validate against a strict list of allowed domains.

A simple rule of thumb

  • Real app routes → Redirect unauthenticated users (safely).
  • Obvious probe paths → Return 404 immediately.
  • User-supplied redirect URLs → Validate strictly or reject.

Security isn't always about fancy tools. Sometimes it's just not engaging with noise.

Small decisions like this reduce load, lower costs, and turn your logs from a distraction into a reliable source of truth.

Bot scans and open redirects: summary
Back to Learning Materials