← all rules

code/rails-skip-csrf

Rails CSRF token verification skipped

highFramework-awareframework:railsCWE-352ruby

What it detects

`skip_before_action :verify_authenticity_token` disables Rails CSRF protection on a controller. State-changing actions then become triggerable cross-site.

How it runs

Gated on framework detection: the repo's manifests (package.json, requirements.txt, pom.xml, Gemfile, composer.json) are read to identify the stack, and the rule only runs against matching-language files when its framework is present.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.