prevent 302 redirect hijack