Will It Vibe logoWill It Vibe?
RAILS-006Medium severity-8 points

CSRF verification skipped for an entire controller

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

skip_before_action :verify_authenticity_token with no only:/except: scoping turns off CSRF protection for every action in the controller, not just the one endpoint (commonly a webhook) that actually needed it.

Why it matters

skip_before_action :verify_authenticity_token with no only:/except: option disables CSRF protection for every action in the controller, not just the one endpoint (often a webhook receiver) that actually needed the exemption. Any other cookie-authenticated action in that controller can then be triggered by a form or fetch request hosted on another site.

How to fix it

Scope the skip to the exact action(s) that need it with only: [:webhook_action] (or except: for the rare case where most actions need the exemption). For a webhook endpoint that verifies a provider signature instead of a session, the signature check is the real protection; CSRF exemption there is fine as long as it is scoped narrowly.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks