Information
Setting the preserveFullyQualifiedReferrerUrl attribute to false ensures that the host for the referrer URL is removed, and that the redirect is to localhost.
Using a fully qualified referrer URL containing the hostname may open your systems to potential URL redirect attacks.
Solution
Set the preserveFullyQualifiedReferrerUrl attribute to false in the webAppSecurity element on ${server.config.dir}/configDropins/overrides/*.xml
<webAppSecurity preserveFullyQualifiedReferrerUrl="false" />