Use protect_from_forgery with: :exception (#6926)

Matt Van Horn · Matt Van Horn · web-flow · commit 63311c5bb8b6 · 2026-05-04T22:53:35.000-07:00
Use protect_from_forgery with: :exception (#6920) CodeQL alert #60 (rb/csrf-protection-disabled, CWE-352): calling protect_from_forgery with no with: argument downgrades the failure mode to with: :null_session, weaker than the Rails 5+ default of with: :exception that ActionController::Base would otherwise apply. Make the strategy explicit so the call no longer weakens the default, matching option 2 from the issue (more self-documenting than removing the call entirely). Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -4,7 +4,7 @@ class ApplicationController < ActionController::Base
   include Organizational
   include Users::TimeZone
 
-  protect_from_forgery
+  protect_from_forgery with: :exception
   before_action :store_user_location!, if: :storable_location?
   before_action :authenticate_user!
   before_action :set_current_user
