diff --git a/app/controllers/admin/themes_controller.rb b/app/controllers/admin/themes_controller.rb
index b0f8d21f396..5c711a1e6ac 100644
--- a/app/controllers/admin/themes_controller.rb
+++ b/app/controllers/admin/themes_controller.rb
@@ -5,10 +5,14 @@ class Admin::ThemesController < Admin::AdminController
 
   skip_before_action :check_xhr, only: [:show, :preview]
 
+  def self.whitelist_theme_key(user)
+    "whitelist_theme_key_#{user.id}"
+  end
+
   def preview
     @theme = Theme.find(params[:id])
-
-    redirect_to path("/"), flash: { preview_theme_key: @theme.key }
+    $redis.setex(Admin::ThemesController.whitelist_theme_key(current_user), 60, @theme.key)
+    redirect_to path("/?preview_theme_key=#{@theme.key}")
   end
 
   def upload_asset
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 653ba952fc1..e784e68f0f3 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -307,7 +307,13 @@ class ApplicationController < ActionController::Base
     resolve_safe_mode
     return if request.env[NO_CUSTOM]
 
-    theme_key = flash[:preview_theme_key]
+    theme_key = nil
+    if (k = request[:preview_theme_key]) && current_user
+      # some extra security, only to use the magic param the key needs to be whitelisted
+      if k == $redis.get(::Admin::ThemesController.whitelist_theme_key(current_user))
+        theme_key = k
+      end
+    end
 
     user_option = current_user&.user_option