diff -r 49f68aeb1dd2 -r c0c7b4ca2946 src/main/kotlin/de/uapcore/lightpit/RequestMapping.kt
--- a/src/main/kotlin/de/uapcore/lightpit/RequestMapping.kt	Mon Sep 22 20:00:59 2025 +0200
+++ b/src/main/kotlin/de/uapcore/lightpit/RequestMapping.kt	Sat Oct 04 13:34:33 2025 +0200
@@ -125,6 +125,8 @@
             field = value
             if (value == null) {
                 request.removeAttribute(Constants.REQ_ATTR_REDIRECT_LOCATION)
+            } else if (value.startsWith(baseHref)) {
+                request.setAttribute(Constants.REQ_ATTR_REDIRECT_LOCATION, value)
             } else {
                 request.setAttribute(Constants.REQ_ATTR_REDIRECT_LOCATION, baseHref + value)
             }
@@ -226,6 +228,19 @@
     }
 
     fun i18n(key: String): String = ResourceBundle.getBundle("localization/strings", response.locale).getString(key)
+
+    fun sanitizeReferer(referer: String?): String? {
+        if (referer == null) return null
+        // if someone really explicitly specifies the default port, we must support that, but we will remove it
+        val baseHrefWithPort = "${request.scheme}://${request.serverName}${request.serverPort}${request.contextPath}/"
+        return if (referer.startsWith(baseHref)) {
+            referer
+        } else if (referer.startsWith(baseHrefWithPort)) {
+            referer.replaceFirst(baseHrefWithPort, baseHref)
+        } else {
+            null
+        }
+    }
 }
 
 /**