---
title: Validate OAuth Redirect URIs
impact: HIGH
impactDescription: prevents redirect hijacking and token leakage
tags: security, oauth, redirect, validation
---

## Validate OAuth Redirect URIs

Ensure that the redirect URI sent in the authorization request matches the values pre-registered for your application.

**Incorrect (dynamic/unvalidated redirect):**

```ruby
# Allowing user-supplied redirect_uri
redirect_uri = params[:redirect_uri]
redirect_to "https://provider.com/auth?redirect_uri=#{redirect_uri}"
```

**Correct (pre-registered URI):**

```ruby
# Hardcode or use config
CALLBACK_URL = "https://app.com/auth/callback"
redirect_to "https://provider.com/auth?redirect_uri=#{CALLBACK_URL}"
```

**Tools:** Manual Review
---