ApplicationController has no CSRF protection
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A cookie-session Rails app should call protect_from_forgery (or rely on the Rails 5+ default it inherits) in ApplicationController, so a state-changing form submission cannot be forged from another origin. This controller does neither, and it is not an API-only controller, which normally has no cookie session to protect in the first place.
Why it matters
protect_from_forgery is what makes Rails require and check the CSRF token on state-changing requests carrying a cookie session. Without it in ApplicationController (or the Rails 5+ default that provides it automatically), a form on another site can submit to this app's endpoints using the visitor's existing session cookie, and the request goes through as if the visitor intended it.
How to fix it
Add protect_from_forgery with: :exception to ApplicationController (this is what rails new generates by default; its absence usually means it was removed at some point). If this really is meant to be a token-authenticated API with no cookie session, inherit from ActionController::API instead, which has no CSRF surface to protect and makes that intent explicit.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo