CSRF protection disabled on a view via @csrf_exempt
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
The @csrf_exempt decorator (or method_decorator(csrf_exempt, ...) on a class-based view) turns off CSRF verification for that specific view, so a state-changing POST to it can be forged from another origin. It is sometimes legitimate for a webhook endpoint authenticated another way, but each use should be reviewed.
Why it matters
@csrf_exempt turns off CSRF verification for exactly the view it decorates, so a state-changing request to that endpoint can be triggered from a page on another site as long as the victim is authenticated in their browser. It is sometimes the right call for a webhook that verifies a signature instead, but every other use is a real gap.
How to fix it
For each @csrf_exempt, decide whether the view is a genuine external webhook that authenticates by signature (Stripe, GitHub, etc.); if so, keep the exemption but verify the signature and leave a comment explaining why. For every other view, remove the decorator and let CsrfViewMiddleware protect it, or switch the client to send the CSRF token if the exemption was only there to work around a missing token.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo