Enforce oauth state parameter validation

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Configure the glide.oauth.state.parameter.required property to prevent your instance from cross-site request forgery (CSRF) attacks.

    The glide.oauth.state.parameter.required system property enables the State parameter to be required in an OAuth request for authorization code flow. Beginning in the Madrid release, the system property glide.oauth.state.parameter.required adds a State parameter for an OAuth request. For zbooted instances, the property is true. For upgraded instances, the property is not present, so the State parameter is not enabled. The State parameter is a string value, and should not contain special characters. The State parameter cannot be empty or " ". Not setting the State parameter to true ensures that an attacker cannot perform CSRF attacks during authentication can allow an attacker to perform operations as the victim.

    Ensure that the property glide.oauth.state.parameter.required is set to true.

    More information

    Attribute Description
    Configuration name glide.oauth.state.parameter.required
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value <none>
    Fallback value false
    Category Access control
    Security risk
    • Severity score: 4.2
    • CVSS rating: Medium
    • Security risk details: Not enabling the glide.oauth.state.parameter.required property in OAuth authorization code flow increases the risk of Cross-Site Request Forgery (CSRF) attacks, potentially allowing attackers to impersonate users and perform unauthorized actions.
    Functional impact None
    Dependencies and prerequisites None