---
title: Use State Parameter for OAuth CSRF
impact: HIGH
impactDescription: prevents login CSRF attacks in OAuth flows
tags: security, oauth, csrf, authentication
---

## Use State Parameter for OAuth CSRF

When using OAuth/OpenID Connect, always include and validate a `state` parameter to prevent Cross-Site Request Forgery during the authorization flow.

**Incorrect (missing state):**

```ruby
# Redircting to OAuth provider without state
redirect_to "https://provider.com/auth?client_id=123"
```

**Correct (with state):**

```ruby
# OmniAuth handles this automatically
# For manual implementation:
state = SecureRandom.hex(16)
session[:oauth_state] = state
redirect_to "https://provider.com/auth?client_id=123&state=#{state}"

# In callback:
# if params[:state] != session[:oauth_state] ...
```

**Tools:** OmniAuth, Brakeman
---