diff --git a/src/web/auth.js b/src/web/auth.js
index ef4bd84c..b71c4887 100644
--- a/src/web/auth.js
+++ b/src/web/auth.js
@@ -18,6 +18,19 @@ var csrf = require("./csrf");
 
 const LOGGER = require('@calzoneman/jsli')('web/auth');
 
+function getSafeReferrer(req) {
+    const referrer = req.header('referer');
+    const { hostname } = url.parse(referrer);
+
+    // TODO: come back to this when refactoring http alt domains
+    if (hostname === Config.get('http.root-domain')
+            || Config.get('http.alt-domains').includes(hostname)) {
+        return referrer;
+    } else {
+        return null;
+    }
+}
+
 /**
  * Processes a login request.  Sets a cookie upon successful authentication
  */
@@ -27,7 +40,7 @@ function handleLogin(req, res) {
     var name = req.body.name;
     var password = req.body.password;
     var rememberMe = req.body.remember;
-    var dest = req.body.dest || req.header("referer") || null;
+    var dest = req.body.dest || getSafeReferrer(req) || null;
     dest = dest && dest.match(/login|logout/) ? null : dest;
 
     if (typeof name !== "string" || typeof password !== "string") {
@@ -36,6 +49,7 @@ function handleLogin(req, res) {
     }
 
     var host = req.hostname;
+    // TODO: remove this check from /login, make it generic middleware
     if (host.indexOf(Config.get("http.root-domain")) === -1 &&
             Config.get("http.alt-domains").indexOf(host) === -1) {
         LOGGER.warn("Attempted login from non-approved domain " + host);
@@ -102,7 +116,7 @@ function handleLoginPage(req, res) {
         });
     }
 
-    var redirect = req.query.dest || req.header("referer");
+    var redirect = getSafeReferrer(req);
     var locals = {};
     if (!/\/register/.test(redirect)) {
         locals.redirect = redirect;
@@ -120,7 +134,7 @@ function handleLogout(req, res) {
     res.clearCookie("auth");
     res.locals.loggedIn = res.locals.loginName = res.locals.superadmin = false;
     // Try to find an appropriate redirect
-    var dest = req.body.dest || req.header("referer");
+    var dest = req.body.dest || getSafeReferrer(req);
     dest = dest && dest.match(/login|logout|account/) ? null : dest;
 
     var host = req.hostname;
diff --git a/templates/nav.pug b/templates/nav.pug
index 939e1b3b..370222a1 100644
--- a/templates/nav.pug
+++ b/templates/nav.pug
@@ -33,7 +33,7 @@ mixin navdefaultlinks(page)
         li: a(href=loginDomain+"/account/profile") Profile
         li: a(href=loginDomain+"/account/edit") Change Password/Email
       else
-        li: a(href=loginDomain+"/login?dest=" + encodeURIComponent(baseUrl + page)) Login
+        li: a(href=loginDomain+"/login") Login
         li: a(href=loginDomain+"/register") Register
 
 mixin navsuperadmin(newTab)
@@ -55,7 +55,6 @@ mixin navloginform(redirect)
   .visible-lg
     form#loginform.navbar-form.navbar-right(action=loginDomain+"/login", method="post")
       input(type="hidden", name="_csrf", value=csrfToken)
-      input(type="hidden", name="dest", value=baseUrl + redirect)
       .form-group
         input#username.form-control(type="text", name="name", placeholder="Username")
       .form-group
@@ -68,14 +67,13 @@ mixin navloginform(redirect)
       button#login.btn.btn-default(type="submit") Login
   .visible-md
     p#loginform.navbar-text.pull-right
-      a#login.navbar-link(href=loginDomain+"/login?dest="+encodeURIComponent(baseUrl+redirect)) Log in
+      a#login.navbar-link(href=loginDomain+"/login") Log in
       span &nbsp;&middot;&nbsp;
       a#register.navbar-link(href="/register") Register
 
 
 mixin navlogoutform(redirect)
   form#logoutform.navbar-text.pull-right(action="/logout", method="post")
-    input(type="hidden", name="dest", value=baseUrl + redirect)
     input(type="hidden", name="_csrf", value=csrfToken)
     span#welcome Welcome, #{loginName}
     span &nbsp;&middot;&nbsp;