diff --git a/apps/charterafrica/contrib/dokku/Dockerfile b/apps/charterafrica/contrib/dokku/Dockerfile
index 96ea957bc..3886afd27 100644
--- a/apps/charterafrica/contrib/dokku/Dockerfile
+++ b/apps/charterafrica/contrib/dokku/Dockerfile
@@ -1 +1 @@
-FROM codeforafrica/charterafrica-ui:0.1.9
+FROM codeforafrica/charterafrica-ui:0.1.10
diff --git a/apps/charterafrica/package.json b/apps/charterafrica/package.json
index a18844b8c..0c0bf33f9 100644
--- a/apps/charterafrica/package.json
+++ b/apps/charterafrica/package.json
@@ -1,6 +1,6 @@
 {
   "name": "charterafrica",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "private": true,
   "author": "Code for Africa <tech@codeforafrica.org>",
   "description": "This is the official code for https://charter.africa site",
diff --git a/apps/charterafrica/src/pages/api/v1/disable-draft.page.js b/apps/charterafrica/src/pages/api/v1/disable-draft.page.js
new file mode 100644
index 000000000..39febffb5
--- /dev/null
+++ b/apps/charterafrica/src/pages/api/v1/disable-draft.page.js
@@ -0,0 +1,5 @@
+// By default, the Draft Mode session ends when the browser is closed.
+// This method clears it manually / on demand.
+export default function handler(req, res) {
+  res.setDraftMode({ enable: false });
+}
diff --git a/apps/charterafrica/src/pages/api/v1/draft/index.page.js b/apps/charterafrica/src/pages/api/v1/draft/index.page.js
index 33bdc28f7..1c8385e03 100644
--- a/apps/charterafrica/src/pages/api/v1/draft/index.page.js
+++ b/apps/charterafrica/src/pages/api/v1/draft/index.page.js
@@ -3,10 +3,18 @@ export default async function handler(req, res) {
   // make sure the user requesting to preview, is logged into Payload
   // See "Tip" on: https://payloadcms.com/docs/authentication/overview#token-based-auth
   if (!req.user) {
-    return res.status(500).json({ message: "UNAUTHORIZED_USER" });
+    return res.status(401).json({ message: "UNAUTHORIZED_USER" });
   }
   const { slug } = req.query;
   res.setDraftMode({ enable: true });
 
-  return res.redirect(slug);
+  // Guard against open redirect vulnerabilities
+  // Since slug will be a path, redirect to pathname instead of original slug
+  // just in case
+  const appUrl = new URL(process.env.NEXT_PUBLIC_APP_URL);
+  const requestedUrl = new URL(slug, appUrl);
+  if (requestedUrl.origin !== appUrl.origin) {
+    return res.status(401).json({ message: "UNAUTHORIZED_REDIRECT" });
+  }
+  return res.redirect(requestedUrl.pathname);
 }