From c88b4e45268d2ddc5c1e8cbedc3fadafcc66b6c1 Mon Sep 17 00:00:00 2001
From: Blake Embrey <hello@blakeembrey.com>
Date: Mon, 9 Sep 2024 20:33:08 -0700
Subject: [PATCH 1/2] Deprecate back magic string

---
 History.md      | 5 +++++
 lib/response.js | 1 +
 2 files changed, 6 insertions(+)

diff --git a/History.md b/History.md
index 887a38f182..4de61a4ba0 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Deprecate `res.location("back")` and `res.redirect("back")` magic string
+
 4.20.0 / 2024-09-10
 ==========
   * deps: serve-static@0.16.0
diff --git a/lib/response.js b/lib/response.js
index 76b6b54a3b..ec801746cd 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -916,6 +916,7 @@ res.location = function location(url) {
 
   // "back" is an alias for the referrer
   if (url === 'back') {
+    deprecate('res.location("back"): use res.location(req.get("Referrer") || "/") and refer to https://expressjs.com/en/advanced/best-practice-security.html#prevent-open-redirects for best practices');
     loc = this.req.get('Referrer') || '/';
   } else {
     loc = String(url);

From b6637157ab1b7e7a5f26f3d2960a2373de08e6b9 Mon Sep 17 00:00:00 2001
From: Blake Embrey <hello@blakeembrey.com>
Date: Wed, 11 Sep 2024 12:06:01 -0700
Subject: [PATCH 2/2] Use short URL

---
 lib/response.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/response.js b/lib/response.js
index ec801746cd..2b654f4c66 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -916,7 +916,7 @@ res.location = function location(url) {
 
   // "back" is an alias for the referrer
   if (url === 'back') {
-    deprecate('res.location("back"): use res.location(req.get("Referrer") || "/") and refer to https://expressjs.com/en/advanced/best-practice-security.html#prevent-open-redirects for best practices');
+    deprecate('res.location("back"): use res.location(req.get("Referrer") || "/") and refer to https://dub.sh/security-redirect for best practices');
     loc = this.req.get('Referrer') || '/';
   } else {
     loc = String(url);