diff --git a/kobo/hub/views.py b/kobo/hub/views.py
index 2ba0a9f1..a3cb0c2c 100644
--- a/kobo/hub/views.py
+++ b/kobo/hub/views.py
@@ -10,6 +10,7 @@
 from django.shortcuts import render, get_object_or_404
 from django.urls import reverse
 from django.views.generic import RedirectView
+from django.utils.http import url_has_allowed_host_and_scheme
 
 from kobo.hub.models import Arch, Channel, Task
 from kobo.hub.forms import TaskSearchForm
@@ -241,11 +242,16 @@ def krb5login(request, redirect_field_name=REDIRECT_FIELD_NAME):
     middleware = 'kobo.django.auth.middleware.LimitedRemoteUserMiddleware'
     if middleware not in settings.MIDDLEWARE:
         raise ImproperlyConfigured("krb5login view requires '%s' middleware installed" % middleware)
-    redirect_to = request.POST.get(redirect_field_name, "")
-    if not redirect_to:
-        redirect_to = request.GET.get(redirect_field_name, "")
-    if not redirect_to:
-        redirect_to = reverse("home/index")
+
+    redirect_to = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name))
+    url_is_safe = url_has_allowed_host_and_scheme(
+            url=redirect_to,
+            allowed_hosts=request.get_host(),
+            require_https=request.is_secure(),
+    )
+    if not url_is_safe:
+        redirect_to = reverse(settings.LOGIN_REDIRECT_URL)
+
     return RedirectView.as_view(url=redirect_to, permanent=True)(request)
 
 def oidclogin(request):