Will It Vibe logoWill It Vibe?
AUTHZ-010Medium severity-8 points

CSRF protection removed from a view (@csrf_exempt)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A Django view is decorated with @csrf_exempt, turning off CSRF protection for a state-changing endpoint.

Why it matters

@csrf_exempt turns off cross-site request forgery protection for a specific Django view. If that view changes state (posts data, updates a record, triggers an action), another site can forge requests that run in a logged-in visitor's session. The decorator is easy to add to silence a token error and easy to forget.

How to fix it

Remove @csrf_exempt from state-changing views and send the CSRF token correctly from the client instead (the csrftoken cookie plus the X-CSRFToken header for AJAX, or {% csrf_token %} in forms). If the endpoint is a token-authenticated API that legitimately does not use cookies, move it to a DRF view with a token/session auth class rather than exempting CSRF on a cookie-authenticated view.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks