Restricting redirects through Scala Stream Collector

We just transitioned email link click tracking from an old home-grown service to our collectors using the “/r/tp2” endpoint. Our security staff have expressed concern that the redirects are wide open so that a phisher could redirect users to a malicious site using the collector’s redirect functionality. Is anyone aware of a mechanism we can use to lockdown the redirects?