From 77ada906dba57fd6e308f0d750e01653dbeaddfc Mon Sep 17 00:00:00 2001
From: Blake Embrey <hello@blakeembrey.com>
Date: Wed, 11 Sep 2024 12:24:22 -0700
Subject: [PATCH] Deprecate `"back"` magic string in redirects (#5935)

---
 History.md      | 5 +++++
 lib/response.js | 1 +
 2 files changed, 6 insertions(+)

diff --git a/History.md b/History.md
index 887a38f182..4de61a4ba0 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Deprecate `res.location("back")` and `res.redirect("back")` magic string
+
 4.20.0 / 2024-09-10
 ==========
   * deps: serve-static@0.16.0
diff --git a/lib/response.js b/lib/response.js
index 76b6b54a3b..2b654f4c66 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -916,6 +916,7 @@ res.location = function location(url) {
 
   // "back" is an alias for the referrer
   if (url === 'back') {
+    deprecate('res.location("back"): use res.location(req.get("Referrer") || "/") and refer to https://dub.sh/security-redirect for best practices');
     loc = this.req.get('Referrer') || '/';
   } else {
     loc = String(url);