Avoid CSRF exemptions on state-changing Django views
Browser-facing Django views that change state should remain CSRF-protected unless they are explicitly token-authenticated APIs.
#Metadata
#Why it matters
Using django.decorators.csrf.csrf_exempt removes CSRF defenses for session-backed browsers, enabling cross-site request forgery against unsafe methods.
#Remediation
Remove `@csrf_exempt`, enforce CSRF tokens for browser views, or constrain the endpoint to non-session authentication with explicit CSRF policy.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/python/py.security.django-csrf-exempt-state-changing.rule.yaml.