diff --git a/ql/src/Security/CWE-352/ConstantOauth2State.qhelp b/ql/src/Security/CWE-352/ConstantOauth2State.qhelp
index dc15b5de1d9..4400d60e304 100644
--- a/ql/src/Security/CWE-352/ConstantOauth2State.qhelp
+++ b/ql/src/Security/CWE-352/ConstantOauth2State.qhelp
@@ -5,7 +5,7 @@
OAuth 2.0 clients must implement CSRF protection for the redirection URI, which is typically accomplished by including a "state" value that binds the request to
- the user's authenticated state. The Go OAuth 2.0 library allows to specify a "state" value which is then included in the auth code URL, and then provided back by the remote authentication server in the redirect callback, from where it must be validated; failure to do so makes the client susceptible to an CSRF attack.
+ the user's authenticated state. The Go OAuth 2.0 library allows you to specify a "state" value which is then included in the auth code URL. That state is then provided back by the remote authentication server in the redirect callback, from where it must be validated. Failure to do so makes the client susceptible to an CSRF attack.
@@ -23,4 +23,8 @@
+
+ IETF: The OAuth 2.0 Authorization Framework
+ IETF: OAuth 2.0 Security Best Current Practice
+
diff --git a/ql/src/Security/CWE-352/ConstantOauth2State.ql b/ql/src/Security/CWE-352/ConstantOauth2State.ql
index ea8ce5b4875..23d55e69e71 100644
--- a/ql/src/Security/CWE-352/ConstantOauth2State.ql
+++ b/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -1,5 +1,5 @@
/**
- * @name Use of constant `state` value in OAuth 2.0 URL.
+ * @name Use of constant `state` value in OAuth 2.0 URL
* @description Using a constant value for the `state` in the OAuth 2.0 URL makes the application
* susceptible to CSRF attacks.
* @kind path-problem