Described embodiments protect clients from open redirect security vulnerabilities in Web applications. A primary application receives a request for an operation to be performed on behalf of a secondary application. The request includes a return location parameter containing i) a return location, and ii) an encrypted portion. After completing the requested operation, the primary application retrieves the return location parameter and a cryptographic key uniquely associated with the secondary application. The primary application decrypts the encrypted portion of the return location parameter to generate a decrypted value, and uses the decrypted value to validate the return location contained in the return location parameter. The primary application transmits a redirect message to the client that causes the client to be redirected to the return location contained in the return location parameter only in response to the return location being successfully validated based on the decrypted value.