SEC007errorPro

oauth-state-validation

OAuth callback missing state parameter validation

Applies to: JavaScript, Python, TypeScript

Why this matters

The OAuth state parameter prevents CSRF attacks during the OAuth flow. Without validating that the state matches what was sent in the initial authorization request, attackers can trick users into linking attacker-controlled accounts or stealing tokens.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC007 includedstablestack explain SEC007

SEC007 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC007