---
title: Validate OAuth Redirect URIs Exactly
impact: CRITICAL
impactDescription: prevents OAuth redirect hijacking
tags: oauth, redirect, uri, validation, security
---

## Validate OAuth Redirect URIs Exactly

Loose redirect URI validation allows attackers to steal authorization codes by redirecting users to malicious sites.

**Incorrect (partial/loose validation):**

```go
// Dangerous - substring match
if strings.Contains(redirectURI, "example.com") {
    // Allows attacker.com?example.com
}

// Dangerous - prefix match
if strings.HasPrefix(redirectURI, "https://example.com") {
    // Allows https://example.com.attacker.com
}
```

**Correct (exact match against registered URIs):**

```go
var registeredRedirectURIs = []string{
    "https://app.example.com/callback",
}

func isValidRedirect(uri string) bool {
    // Exact match required
    for _, r := range registeredRedirectURIs {
        if r == uri {
            return true
        }
    }
    return false
}

func AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
    redirectURI := r.URL.Query().Get("redirect_uri")
    if !isValidRedirect(redirectURI) {
        http.Error(w, "Invalid redirect URI", 400)
        return
    }
    // ...
}
```

**Requirements:**
- Exact string match for redirect URIs.
- No wildcards or pattern matching.
- HTTPS required for production.

**Tools:** OAuth Security Testing, `golang.org/x/oauth2`
