I’ve seen similar questions on this, but not to the degree of specificity I’m hoping for, so… here goes.

I’ve got a couple of web applications that use a redirectUrl parameter in an endpoint to allow for navigating to a specific page when the endpoint is completed its processing. The redirectUrl parameter must be dynamic because I support multiple vanity URLs that want their own branding on things, for example:

• https://myapp.glamorousclownmakeup.com
• https://myapp.yomommasougly.com
• https://myapp.sales.lefthandedwidgets.com
• https://myapp.marketing.lefthandedwidgets.com

What I want to do is prevent a redirect URL from being hijacked to redirect someone towards a malicious website (like https://myapp.glamorousclownmakeup.com.malicioushost.com).

My idea is to have a well-defined list of domain names, like:

• glamorousclownmakeup.com
• yomommasougly.com
• lefthandedwidgets.com

… and if the redirect URL belongs to these domains, allow the redirect, and if not, prevent the redirect.

Note the lefthandedwidgets.com domain however. I have several URLs that are not of a particular domain, but various multiple subdomains. The subdomains may be several levels deep, like https://myapp.eastcoast.sales.lefthandedwidgets.com or something similar. There are also cases where the domain might be something like https://myapp.canberra.sales.lefthandedwidgets.com.au. In this case, the allowed domain I would define would be lefthandedwidgets.com.au.

All solutions to address these kinds of cases that I’ve seen to this point involve direct string manipulation and evaluation, and that seems… odd to me. Kinda kludgy and hackish, especially when I see solutions using regex. Granted, DNS is an old technology with all sorts of weirdness, but still…

Is there a mechanism to quickly, confidently determine whether or not the hostname is a part of an approved domain, or subdomain of an approved domain, or sub-subdomain of an approved domain, etc. without doing pure string manipulation to count the periods from the end of the hostname and brute-force parsing it? I mean, I could, without a huge amount of effort, but it sure seems there should be a more elegant, built-in solution for this and I’d hate to write code for functionality that already exists.

TL;DR: I want to know if a hostname belongs to a certain domain or a subdomain of a domain, regardless of how many sub-domain levels deep it might be, using built-in .NET Core functionality.