CSRF verification skipped for an entire controller
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
skip_before_action :verify_authenticity_token with no only:/except: scoping turns off CSRF protection for every action in the controller, not just the one endpoint (commonly a webhook) that actually needed it.
Why it matters
skip_before_action :verify_authenticity_token with no only:/except: option disables CSRF protection for every action in the controller, not just the one endpoint (often a webhook receiver) that actually needed the exemption. Any other cookie-authenticated action in that controller can then be triggered by a form or fetch request hosted on another site.
How to fix it
Scope the skip to the exact action(s) that need it with only: [:webhook_action] (or except: for the rare case where most actions need the exemption). For a webhook endpoint that verifies a provider signature instead of a session, the signature check is the real protection; CSRF exemption there is fine as long as it is scoped narrowly.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo