diff --git a/proxy/config.dist.php b/proxy/config.dist.php
index 48b6f16..24efac2 100644
--- a/proxy/config.dist.php
+++ b/proxy/config.dist.php
@@ -54,7 +54,6 @@ $target_open      = $target_civicrm . '/civicrm/mailing/open';
 //$target_url       = $target_civicrm . '/sites/all/modules/civicrm/extern/url.php';
 //$target_open      = $target_civicrm . '/sites/all/modules/civicrm/extern/open.php';
 
-
 /****************************************************************
  **                    GENERAL OPTIONS                         **
  ****************************************************************/
@@ -97,6 +96,23 @@ if (file_exists(dirname(__FILE__)."/secrets.php")) {
   require "secrets.php";
 }
 
+// Parameter whitelisting for open tracking and URL tracking
+// basic civicrm URL/open parameter are u, q and qid (as int)
+// If additional parameters are needed, best practise would be to whitelist each one as needed in
+// $valid_url_parameters and/or $valid_open_parameters.
+// Alternatively it is also possible to allow all parameters with the wildcard parameter '*' => 'string'
+$valid_url_parameters = [
+    'u'   => 'int',
+    'q'   => 'int',
+    'qid' => 'int',
+//    '*'   => 'string'     // whildcard, whitelist all url parameters
+];
+$valid_open_parameters = [
+    'u'   => 'int',
+    'q'   => 'int',
+    'qid' => 'int',
+//    '*'   => 'string'     // wildcard, whitelist *all* open parameters
+];
 // CiviCRM's API can authenticate with different flows
 // https://docs.civicrm.org/dev/en/latest/framework/authx/#flows
 // CiviProxy supports 'header', 'xheader', 'legacyrest', and 'param'.
diff --git a/proxy/open.php b/proxy/open.php
index c4e1200..fb45410 100644
--- a/proxy/open.php
+++ b/proxy/open.php
@@ -16,11 +16,5 @@ if (!$target_open) civiproxy_http_error("Feature disabled", 405);
 // basic check
 civiproxy_security_check('open');
 
-// basic restraints
-$valid_parameters = [
-  'q'   => 'int',
-  'qid' => 'int',
-];
-
-$parameters = civiproxy_get_parameters($valid_parameters);
+$parameters = civiproxy_get_parameters($valid_open_parameters);
 civiproxy_redirect($target_open, $parameters);
diff --git a/proxy/url.php b/proxy/url.php
index d5b7807..b68839c 100644
--- a/proxy/url.php
+++ b/proxy/url.php
@@ -16,10 +16,5 @@ if (!$target_url) civiproxy_http_error("Feature disabled", 405);
 // basic check
 civiproxy_security_check('url');
 
-// basic restraints
-$valid_parameters = array(  'u'   => 'int',
-                            'q'   => 'int',
-                            'qid' => 'int');
-
-$parameters = civiproxy_get_parameters($valid_parameters);
+$parameters = civiproxy_get_parameters($valid_url_parameters);
 civiproxy_redirect($target_url, $parameters);