diff --git a/app/models/logging.js b/app/models/logging.js
index fff3fbeee..472457690 100644
--- a/app/models/logging.js
+++ b/app/models/logging.js
@@ -262,7 +262,8 @@ http.ServerResponse.prototype.redirect = function (url) {
 
 http.ServerResponse.prototype.safeRedirect = function (url) {
   const fullURL = new URL(url, config.urlPrefix);
-  if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
+  if (`${fullURL.protocol}//${fullURL.host}` !== config.urlPrefix)
+    return this.forbidden();
   this.redirect(url);
 };
 
diff --git a/test/api/security.api.tests.js b/test/api/security.api.tests.js
index 4061fed10..c4d09f3e7 100644
--- a/test/api/security.api.tests.js
+++ b/test/api/security.api.tests.js
@@ -43,5 +43,14 @@ describe('security', () => {
       });
       assert.equal(response.statusCode, 403); // forbidden
     });
+
+    it('should NOT allow redirect to a disguised domain', async () => {
+      const { jar } = await loginAs(ADMIN_USER);
+      const { response } = await postRaw(jar, `/consent`, {
+        lang: 'en',
+        redirect: `${URL_PREFIX}@google.com`,
+      });
+      assert.equal(response.statusCode, 403); // forbidden
+    });
   });
 });